4

Since we have Azure AD's B2B feature in GA, I am curious how to make use of B2B in multi-tenant applications. More specifically, how to get a list of directories which the user is member of? For example, the Azure Portal does this by calling https://portal.azure.com/AzureHubs/api/tenants/List, Microsoft's My Apps calls https://account.activedirectory.windowsazure.com/responsive/multidirectoryinfo to get the information - is there a public endpoint for this?

The use case is to enable B2B cooperation across a multi-tenant application which is provisioned in each user's directory so they have their own instances, but there is no way to centrally pull the information about user's directories.

A simple workaround would be to query all tenants which have the application provisioned for the user's UPN and if found, display it in the list, but imagine if there were hundreds of tenants... I believe that this is quite crucial for app developers who want to leverage the B2B functions in multi-tenant applications.

Update: It seems like there is a way to do this by accessing the Azure Service Management API, however this API and method is undocumented and I suppose that if any issues would occur, Microsoft would say that it is not a supported scenario.

Update 2: I wrote an article about the whole setup, including a sample project of how to make use of this in a scenario, it can be found here https://hajekj.net/2017/07/24/creating-a-multi-tenant-application-which-supports-b2b-users/

Jan Hajek
  • 633
  • 5
  • 20

1 Answers1

1

There is a publicly documented Azure Management API that allows you to do this: https://learn.microsoft.com/en-us/rest/api/resources/tenants

GET https://management.azure.com/tenants?api-version=2016-06-01 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
...

The response body looks something like this:

{
    "value" : [{
            "id" : "/tenants/d765d508-7139-4851-b9c5-74d6dbb1edf0",
            "tenantId" : "d765d508-7139-4851-b9c5-74d6dbb1edf0"
        }, {
            "id" : "/tenants/845415f3-7a05-45c2-8376-ee67080661e2",
            "tenantId" : "845415f3-7a05-45c2-8376-ee67080661e2"
        }, {
            "id" : "/tenants/97bcb93f-8dee-48ed-afa3-356ba40f3a61",
            "tenantId" : "97bcb93f-8dee-48ed-afa3-356ba40f3a61"
        }
    ]
}

The resource for which you need to acquire an access token is https://management.azure.com/ (with the trailing slash!).

Philippe Signoret
  • 13,299
  • 1
  • 40
  • 58
  • Oh, missed that one! One more thing, this doesn't seem to return the tenant's name, how do I pull that one? Eventually so that I only have one request to make? – Jan Hajek Jul 22 '17 at 06:09
  • If we stick with publicly documented and supported APIs, you'd need to get an access token to Azure AD for each tenant and call Azure AD Graph API's [`/tenantDetails`](https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#tenantdetail-entity) or Microsoft Graph API's [`/organization`](https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/organization_get). – Philippe Signoret Jul 22 '17 at 09:35
  • That was the same thing I figured, but the thing is I would have to go with all the tokens and things - it is not impossible, but the process would be really complicated. I will wait a bit if we can get any clarification from Microsoft on this one. – Jan Hajek Jul 22 '17 at 15:08
  • 1
    Building a multi-tenant app that takes into account the various tenants that a given user can be in (in addition to their "home" tenant) is, indeed, one of the more complex scenarios. That said, I'm fairly [confident](https://stackoverflow.com/users/325697/philippe-signoret?tab=profile) that there isn't any other publicly supported API (yet) for this. – Philippe Signoret Jul 22 '17 at 20:41
  • 1
    Oh, sorry, overlooked your status! Well, it would be great if something like this was added to Microsoft Graph tho. I mean, if you list the tenants on behalf of the user, the tenant names aren't really a secret because you can obtain them just the process is way harder. – Jan Hajek Jul 23 '17 at 06:41
  • Can you submit that as a request here? https://feedback.azure.com/forums/169401-azure-active-directory/category/164757-developer-experiences – Philippe Signoret Jul 24 '17 at 15:14
  • Thanks, posted here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/20250751-add-support-to-list-directories-that-the-user-is-m, also I wrote a blog post about how to make a B2B aware multitenant application here: https://hajekj.net/2017/07/24/creating-a-multi-tenant-application-which-supports-b2b-users/ – Jan Hajek Jul 24 '17 at 18:54
  • So the Azure Portal API (`https://portal.azure.com/AzureHubs/api/tenants/List`) just stopped working today.. Any idea why? – Jan Hajek Sep 07 '17 at 08:55