0

I'm working on an asp.net core mvc application which requires a user to sign in to the application registered in Tenant A as multitenant App and available in Tenant A, B and C.

Users logging in into the app in Tenant A can use the app to get information from all tenants which enrolled the App (so A, B, C) and to which the user has access to via Graph API.

By using the tag [AuthorizeForScopes(ScopeKeySection = "AllRequiredScopes")], exceptions regarding access to the graph API for the tenant of the currently signed in user are handled just fine in the controller. This means if a user from Tenant A is logged in into the app, GraphAPI-requests for tenant A which cause an exception are handled as expected.

However, if the user from tenant A wants to get data from tenant B, the tag does not redirect him to the correct endpoint. The user is always sent to https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?..., which takes the default Account (tenant A in the scenario). Obviously, this does not help in correcting error conditions like the user not being logged in into tenant B, missing consent, or similar.

Is there a way to modify the tag to use the tenant endpoint instead of the common endpoint or how can this be handled?

Thank you!

Agyss
  • 160
  • 1
  • 15

1 Answers1

0

I tried to reproduce in my environment and got the results like below:

I created an Azure AD MultiTenant Application in TenantA:

enter image description here

For the Application to be accessed by TenantB an TenantC I used the organizations endpoint and generated the code:

https://login.microsoftonline.com/organizations/oauth2/authorize? 
client_id=TenantAappID
&response_type=code  
&redirect_uri=https://jwt.ms
&response_mode=query  
&scope=https://graph.microsoft.com/.default
&state=12345

I logged in with TenantB user:

enter image description here

enter image description here

I generated access token, I used below parameters:

https://login.microsoftonline.com/organizations/oauth2/v2.0/token

client_id:TenantAappID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

enter image description here

By using the above token, I called the /me graph endpoint like below:

https://graph.microsoft.com/v1.0/me

enter image description here

However, if the user from tenant A wants to get data from tenant B, the tag does not redirect him to the correct endpoint.

Note that: The [AuthorizeForScopes] attribute is used to provide the scopes necessary for a certain controller action or method.

  • It is used to check if the authenticated user has the required permissions to perform the action.
  • And it doesn't provide a way to dynamically switch the tenant for the authentication context.

When I tried to use TenantID so that TenantA can access TenantB, I got the error like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:TenantAappID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

enter image description here

So, if you want TenantA to access TenantB then you can generate different access token by creating Multi-Tenant Application in TenantB.

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • All of what you are saying is correct. However, I want to stay signed in in tenant A, during this session get a Token which is valid for tenant B to eventually store information of tenant B in the app started in tenant A. Of course the user has to be present in both tenants for this to work - which was not the case in your example. – Agyss Mar 30 '23 at 16:50
  • with other words it could be said as: app registration login to same app on multiple tenants with same user simulateneously. Only pre condition is, that the user is of course already member or guest in all tenants. – Agyss Mar 30 '23 at 17:45
  • Could you please confirm what is the exact requirement? – Rukmini Mar 30 '23 at 17:47
  • I will try my best: Precondition is: - User A is Member of Tenant A and Guest in B - App is registered in Tenant A as a multi-tenant application and consent for it is given in Tenant A and B. So it's available in both Tenants as an enterprise App to User A. User A logs into the Enterprise-App in tenant A. The app now has a button "Get All users from all tenants I have access and where app consent is given". This collects all Users from Tenant A and Tenant B and presents them to the user in a Table, showing the respective username + Tenant Name. – Agyss Mar 30 '23 at 17:53
  • This works super smooth for tenant A, however, as the user is not currently signed into the app in tenant B, it will throw an error. I want a way to handle this error in a way the user stays signed into the app in tenant A while being able to get the data from tenant B. – Agyss Mar 30 '23 at 17:55
  • The technology I use is asp.net core MVC, so the requests to Graph API to get the users is done in a controller or service. – Agyss Mar 30 '23 at 17:56
  • For compliance reasons, I can only use delegated permissions and no application permissions. – Agyss Mar 30 '23 at 18:03
  • I believe you can create an application on tenant B and give the api permissions you need. When you what to request data from tenant B you authenticate using client Id and secret for Graph SDK, inside you .net MVC app – Leo Barbas Jul 06 '23 at 08:53