0

I have a multi-tenant app registered in my Azure tenancy (TENANT A). I am trying to get the groups and group members of tenants that have logged into the app. I have the following permissions set up under App Registrations in TENANT A. enter image description here

When I signed into the app as an admin user from TENANT B, I had to grant consent for the permissions and login worked as expected.

I want to be able to see all groups/members of TENANT B. I am not sure how to do this. I have tried following the explanations here but am having no luck. I am performing a post to https://login.microsoftonline.com/*TENANT B*/oauth2/v2.0/token and getting a response

enter image description here

However, when I use the response token and call the Graph API https://graph.microsoft.com/v1.0/groups/*GROUP OBJECT ID*/members it says that I have insufficient permissions.

Any help would be much appreciated

enter image description here

b.b.89
  • 111
  • 2
  • 9
  • Could you pls accept an answer below or sum up another answer by yourself to end this case if you don't have any other questions? And if there's any further issue, pls kindly reply here. – Tiny Wang Dec 09 '21 at 09:05

2 Answers2

0

By default, web app/API registrations in Azure AD are single-tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. (see pic below)

Before an application can be made multi-tenant, Azure AD requires the App ID URI of the application to be globally unique. The App ID URI is one of the ways an application is identified in protocol messages. For a single-tenant application, it is sufficient for the App ID URI to be unique within that tenant. For a multi-tenant application, it must be globally unique so Azure AD can find the application across all tenants. Global uniqueness is enforced by requiring the App ID URI to have a host name that matches a verified domain of the Azure AD tenant.

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant

enter image description here

Ken W - Zero Networks
  • 3,533
  • 1
  • 13
  • 18
  • Thank you for your response. I am just confused as the app already is multi-tenant and 'accounts in any organizational directory' was already selected. I am not sure how this helps? – b.b.89 Dec 07 '21 at 23:12
  • Can you show your auth code? – Ken W - Zero Networks Dec 07 '21 at 23:59
  • Also, try to send the request to https://login.microsoftonline.com/common instead of your tenant url. – Ken W - Zero Networks Dec 08 '21 at 00:02
  • Thanks for your help… sorry I am new to this. What auth code are you referring to? I will try sending the request to the common endpoint and let you know how I go! Thanks again – b.b.89 Dec 08 '21 at 00:12
  • Sending the request to common didn't work - says the identity couldn't be established which makes sense as getting a token from the common endpoint shouldn't give permission to view group members of a specific tenant group – b.b.89 Dec 08 '21 at 00:41
0

You created a multi-tenant application in tenant A for generating access token and call graph api to get all the groups. When you created the app and it's consented to the api permissions, it would work for tenant A, but not for tenant B as this app hasn't registered in tenant B and got the consent. You may refer to this section and grant tenant-wide admin consent by hitting the url below. Then you may check if this app appeared in the azure portal -> azure ad -> enterprise applications in tenant B and click the app -> permissions to see if it has consent.

https://login.microsoftonline.com/{tenant_id_of_tenant_B}/adminconsent?client_id={app_client-id_in_tenant_A}

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29
  • Thank you for your response. I have signed into the app using a TENANT B login through msal is and granted consent. When I log in to the azure portal in tenant B, I could always see the multi tenant app there under enterprise applications. It still isn’t working though – b.b.89 Dec 08 '21 at 09:13
  • 1
    However, if I use the access token returned to the tenant B user after logging into the app using msal js, the request works – b.b.89 Dec 08 '21 at 09:26
  • You are supposed to do like this. Using multi-tenant app here is to avoid creating an application in each tenant. When you generate the access token for a specific tenant, you should use corresponding tenant information in the request url. And if you're using graph sdk, you also need to change the tenant for different request. – Tiny Wang Dec 08 '21 at 09:34