0

I am currently using Azure AD app (Client Id and Client Secret) of one directory to get users details and Azure resources of the attached subscription though MS Graph and Azure Management API. Now i have added one more directory and subscription under my management group . I want to know if i created a multi tenant Azure AD app through App registration , can i access the users of other directory ? If yes what configurations are required ?

Jagdeep Dhamande
  • 35
  • 4
  • Is your application a multi-tenant application? – Carl Zhao Feb 17 '21 at 05:38
  • 3
    see: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant – Carl Zhao Feb 17 '21 at 05:40
  • it doesn't mention how service principal delegation link should be created . I don't want users to sign in or provide any consent. – Jagdeep Dhamande Feb 17 '21 at 06:32
  • am not configuring any web application am just using azure app client and secret to access the directory and resource data – Jagdeep Dhamande Feb 17 '21 at 06:33
  • If you want to use a multi-tenant application to access resources of other tenants, you must log in with the administrator of the other tenant and consent. Then the application will be added to other tenants as an enterprise application. – Carl Zhao Feb 17 '21 at 06:45
  • Thanks tried that .. but getting "AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption." error . – Jagdeep Dhamande Feb 17 '21 at 06:59
  • see: https://stackoverflow.com/questions/64692600/aadsts9002325-proof-key-for-code-exchange-is-required-for-cross-origin-authoriz – Carl Zhao Feb 17 '21 at 07:25
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/228829/discussion-between-jagdeep-dhamande-and-carl-zhao). – Jagdeep Dhamande Feb 17 '21 at 07:58
  • I will post the comment as an answer, if it helps you, you can [accept](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) it as an answer, thank you. – Carl Zhao Feb 17 '21 at 09:38
  • Hi, Jagdeep Dhamande, do you have any other questions? – Carl Zhao Feb 24 '21 at 07:33

1 Answers1

0

If you want to use a single Azure ad application to access different Azure AD directories, then you must configure the application as a multi-tenant application. Because changing the application to a multi-tenant application allows any tenant log in.

Next, you need to request the consent of the administrators of other Azure AD tenants. After the administrator consent, it will be added to other organization tenants as an enterprise application in. In addition, different tenants need to use different access tokens.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19