How to make 2 AD tenants authenticate between each other?
I am a service provider which develops PBI reports to multiple clients. I manage the PBI account and tenants for my clients. For each client I create a new tenant which I manage for them. In this tenants I keep all the PBI fils (PBIX), reports and datasets. If my client already has a 365 account (for his email, teams etc) I create a new tenant in addition to the one he uses.
For example: the client private tenant is @ABCcompany.com. in this tenant, the client has his email account, teams, Office 365 etc. I create a tenant @BIABCcompany. This tenant stores the PBI account.
In the current situation, shen the client wants to use the BI reports , he need to log out of his private 365 tenant (@ABCcompany.com) and log in to (BIABCcompany.com).
My final goals are:
- I want to remove this sign in and sign out step, but I don’t want to store the PBI files (PBIX) files on the client tenants.
- I want that my client will be able to consume the PBI reports on Microsoft teams while he signing to his tenants (@ABCcompany.com)
As I imagine this, I need to make both tenants to talk to teach other and be able to aunticate between one to each other? I this possible?
What I need to do? I read about guests accounts, share domain and many other Azure AD feature but I don;t sure which one of them I should use.
Thank you, Tal
You can make use of Azure AD B2B collaboration to achieve your scenario.
Azure AD B2B collaboration enables users to use one set of credentials to sign in to multiple tenants.
Using the above method, the user with @ABCcompany.com can be invited as a guest user to another tenant (@BIABCcompany.com) and he can sign in using his home tenant credentials(@ABCcompany.com).
You can create the guest users by referring this blog of Hadshana Kamalanathan like below:
Go to Azure Portal -> Azure Active Directory -> Users -> New user
To make the guest users to access the resources in another tenant, make sure to modify the settings like below:
Go to Azure Portal -> Azure Active Directory -> External Identities -> External collaboration settings
References:
Multi-tenant architecture for large institutions - M365 Education | Microsoft Docs
Enable B2B external collaboration settings - Azure AD - Microsoft Entra | Microsoft Docs
- Microsoft Power BI REST API PowerBINotAuthorizedException
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?
- Is it possible to add multiple audiences to AAD bearer token?
- Non-interactive way to authenticate to Azure AD using AADInternals?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0