1

I have a very typical situation where I have Azure tenant A(our own) and Tenant B which is totally different, belongs to our partner(There own setup of Azure AD). The use case is basically to use A's Service Principal and read the specific resources from Tenant B from my application.

One technical way to do it is basically use the appId of Tenant A and create a SP on tenant B. Something like this

az ad sp create --id 00000000-0000-0000-0000-000000000000

However the problem is that we have multiple partners and if one partner can use the other partners tenantId in my application then they can actually read the other tenant details.

I see there are multiple ways of handling this one is, via multi tenant authentication. But the question, if the authentication flow can happen across different tenant? Other is, if I can use the service principal with client certificate for each tenant?

Does anyone have any suitable suggestion on how can this be achieved.

chaosguru
  • 1,933
  • 4
  • 30
  • 44
  • 1
    Does this help https://stackoverflow.com/questions/65696539/how-to-create-a-multi-tenant-service-principal-in-azure-using-terraform? – Rukmini Oct 14 '22 at 10:46
  • @Rukmini yes the accepted answer is another way and legit way of doing it :) thank you for sharing. l will dig down the hole. – chaosguru Oct 20 '22 at 10:04

1 Answers1

2

To use azure service principal for multi-tenant application, try the below:

While creating the Azure AD Application, AvailableToOtherTenants $true:

$aadApplication = New-AzureADApplication -DisplayName Name
-HomePage URL
-ReplyUrls URL
-IdentifierUris AppIdURI
-LogoutUrl logoutURI
-RequiredResourceAccess RequiredResourcesAccess
-PasswordCredentials AppKey
-AvailableToOtherTenants $true
$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId

enter image description here

And then assign the required permissions to the Azure AD Application.

To make the Service Principal created in another tenant, you can grant admin consent by using below endpoint:

https://login.microsoftonline.com/TenantIdofAnotherTenant/adminconsent?client_id=ClientID

Sign-in with the other Tenant admin credentials and Accept this will create the Service Principal in another Tenant.

enter image description here

For more in detail, please refer below links:

Convert single-tenant app to multi-tenant on Azure AD

How to create a multi-tenant Service Principal in Azure by Allen Wu

Rukmini
  • 6,015
  • 2
  • 4
  • 14