How can I change default tenant in Microsoft Graph Explorer

Question

I am working with Graph Explorer to experiment with permissions:

https://developer.microsoft.com/en-us/graph/graph-explorer

When I authenticate to Graph Explorer, it always sends queries to the AD tenant that my identity is created in.

However, the identity I am using can query multiple Azure AD tenants.

How can I change default tenant in Graph Explorer

the answer as changed to this question. Could you please change the accepted answer? — Abhishek Agrawal, Dec 17 '20 at 17:52

score 33 · Answer 1 · answered Jul 10 '20 at 18:58

33

If you want to sign into your own tenant in Graph explorer, use tenant query string parameter.

https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=contoso.onmicrosoft.com

A simple url to go to Graph explorer is https://aka.ms/ge, when you land on the destination, just add tenant query string parameter (domain name or tenantId, both work).

If you are already signed into a tenant, you will have to logout from there. currently automatic switch of tenant is not supported.

answered Jul 10 '20 at 18:58

Abhishek Agrawal

2,183
1
17
24

4

Just what i need! ty! – equintas Oct 11 '20 at 11:39
didnt work for me – m9m9m Jun 27 '23 at 08:43
what error are you seeing – Abhishek Agrawal Jun 30 '23 at 06:49
Didn't work for me either. Just got "Possible error found in URL near: -explorer" – Ikeem Wilson Jul 26 '23 at 16:40
I'll have to see if the code has changed. this was the pull request that enabled it https://github.com/microsoftgraph/microsoft-graph-explorer-v4/pull/568 – Abhishek Agrawal Jul 27 '23 at 23:16
1

Using the full URL in a New Private Window worked for me. – Pato Sandaña Aug 28 '23 at 13:08

score 0 · Accepted Answer · answered Aug 30 '22 at 15:21

Create a service account in the tenant you want to access.

Create a Service account with appropriate accesses/groups in the Target Tenent.
In a clean/Private Window bring up https://aka.ms/ge the Graph Explorer. Note that the test tenant will be engaged.
Select the user button and initiate a login with the credentials setup in step 1.
Initiate the first Get the Get My Profile to verify the service account logged in is found.

score -3 · Answer 3 · answered Nov 16 '18 at 18:55

-3

This is fundamentally how Microsoft Graph works, it retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.

answered Nov 16 '18 at 18:55

Marc LaFleur

31,987
4
37
63

The login dialog automatically autheticates me to specific tenant. How can I change my tenant login when I can login to multiple tenant with the same identity? – Allan Xu Nov 16 '18 at 21:10
You need to use an identity owned by the tenant you want to query. It determines which tenant to authenticate against based on the email/upn you use. – Marc LaFleur Nov 16 '18 at 22:00
Can you confirm that if an identity is used by multiple tenants, it can only Graph query only one tenant? – Allan Xu Nov 16 '18 at 23:16
1

Credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of "common". This isn't supported by Explorer. You'd have to download the source an reengineer the auth process. – Marc LaFleur Nov 17 '18 at 00:35
1

Thank you for help. Just to clarify. My identity has admin right on the other tenants. Is it still considered a guest? – Allan Xu Nov 17 '18 at 02:42
1

It isn't about permissions, it's about which tenant that userPrincipalName maps to. – Marc LaFleur Nov 19 '18 at 14:42
@MarcLaFleur ok but then how is it possible to use the Graph API for another tenant if an user is within multiple tenants? – toto' Mar 30 '20 at 13:06
A user isn't really in multiple tenants, they're owned by one and guests all others. In order to authenticate a guest into Graph you need to specify a `/{tenant}/` rather than `/common` in your OAuth URL, Note that this will not provide access to any data within their account's tenant (i.e. /me/messages won't show their inbox). – Marc LaFleur Mar 30 '20 at 18:40
this answer is outdated. Graph explorer now suppors signing into another tennat - which might not be your home tenant – Abhishek Agrawal Jul 10 '20 at 18:59
That isn't correct, this answer is still accurate. You can only query the tenant you've authenticated with. You cannot authenticate with `mysite.onmicrosoft.com` and query data from `someothersite.onmicrosoft.com`. It has nothing to do with Graph Explorer. – Marc LaFleur Jul 13 '20 at 20:28
3

This answer is not currently correct, whereas the answer by @AbhishekAgrawal works. It's worth noting the caveat with respect to not being able to switch tenant, so I mostly start in a new incognito window to avoid trouble. So, I have for example these two scenarios working: 1) Access `?tenant=client1.onmicrosoft.com`, login as `myself@provider.com`, now queries `client1.onmicrosoft.com`. 2) Access `?tenant=client2.onmicrosoft.com`, login as `myself@provider.com`, now queries `client2.onmicrosoft.com`. – Eirik Lygre Feb 05 '22 at 12:47

How can I change default tenant in Microsoft Graph Explorer

3 Answers3

Linked