Search code examples
pythonazureazure-active-directoryazure-functionsazure-authentication

How to authorize Azure multi tenant application to provision resources in customer tenant

I am building a multi tenant application and it has to provision few azure resources(resource group, even hub, storage hub etc) in customer(say target) tenant during a account setup process .

I followed the azure doc to register an app . I can see the service principal created in target tenant under "Enterprise Applications" and this app has delegated type "azure service management API" permission . Application in target tenant

Question: I wanted to write an function app in source tenant(which is my tenant) in PYTHON which can fetch subscriptions/provision resources in target account . I tried azure.identity.ClientSecretCredential in function something like example to fetch list of subscriptions , it retuned Zero subscriptions . I think ClientSecretCredential doesn't fit for delegated type permission, until i add explicit role-assignment to the service principal , it wont have authorization . post says the same .

Is it must to use AuthorizationCodeCredential , but it requires auth_code which needs user interaction . So, need to develop a web page which prompts for user consent and redirect the auth_code to this function using this function as redirect URI ?

Is there any other way ? Any code reference would help .

Also, what is difference between MSAL and azure.identity package classes . Any documentation on this regard , when to use which API, I have seen various examples using either of them .

Solution

  • AuthorizationCodeCredential is not suitable for function app because it is impossible to implement interactive login in the function app according to my experience.

    Maybe you could use UsernamePasswordCredential, it may be unnecessary to assign RBAC role. Adding the delegated permission is enough. Anyway, using ClientSecretCredential (it's necessary to assign RBAC role to the service principal/enterprise app in this case) or UsernamePasswordCredential should be OK.

    In short, if you want to use user token (AuthorizationCodeCredential or UsernamePasswordCredential) to call Azure Rest API, you need to know (or enter) the credentials of the target tenant user.

    Other design: you can use auth code flow to get the access token for Azure Rest API in your front app and send the access token to your function, then call Azure Rest API in the function app.

    You can learn about the differences between MSAL and azure.identity package from this post.