How to use azure service principal for multi tenant application?
I have a very typical situation where I have Azure tenant A(our own) and Tenant B which is totally different, belongs to our partner(There own setup of Azure AD). The use case is basically to use A's Service Principal and read the specific resources from Tenant B from my application.
One technical way to do it is basically use the appId of Tenant A and create a SP on tenant B. Something like this
az ad sp create --id 00000000-0000-0000-0000-000000000000
However the problem is that we have multiple partners and if one partner can use the other partners tenantId in my application then they can actually read the other tenant details.
I see there are multiple ways of handling this one is, via multi tenant authentication. But the question, if the authentication flow can happen across different tenant? Other is, if I can use the service principal with client certificate for each tenant?
Does anyone have any suitable suggestion on how can this be achieved.
To use azure service principal for multi-tenant application, try the below:
While creating the Azure AD Application, AvailableToOtherTenants $true:
$aadApplication = New-AzureADApplication -DisplayName Name
-HomePage URL
-ReplyUrls URL
-IdentifierUris AppIdURI
-LogoutUrl logoutURI
-RequiredResourceAccess RequiredResourcesAccess
-PasswordCredentials AppKey
-AvailableToOtherTenants $true
$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
And then assign the required permissions to the Azure AD Application.
To make the Service Principal created in another tenant, you can grant admin consent by using below endpoint:
https://login.microsoftonline.com/TenantIdofAnotherTenant/adminconsent?client_id=ClientID
Sign-in with the other Tenant admin credentials and Accept this will create the Service Principal in another Tenant.
For more in detail, please refer below links:
Convert single-tenant app to multi-tenant on Azure AD
How to create a multi-tenant Service Principal in Azure by Allen Wu
- Deploy filtered metrics on Azure dashboard with Bicep
- IAsyncEnumerable JSON streaming is not streaming on azure web app running on IIS
- node-fetch azure document translator
- Need help getting Azure AD B2C SSO with Azure AD
- Unable to get all users from Microsoft Graph using Python SDK
- You need to ensure that WebApp1 uses the ASP.NET v4.7 runtime stack
- MS Graph API - How to query additional pages
- how to hash users into random values in azure databricks
- How can I manage Azure SQL user/login/credentials
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- AVD Insights Host Performance Blade Empty after vhange to new Azure Monitoring Agent
- How to get a list of users from azure graph API
- Azure App Service Flask Deployment Error: "Failed to Respond to HTTP Pings on Port 8000; Site Start Failed. Check Container Logs for Debugging."
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
- Can you publish a new standalone Angular project (esproj) directly from VS2022 to Azure?
- Cors configuration
- Publish error: Found multiple publish output files with the same relative path
- remove event subscriptions from system topics
- Is it possible to use .env in a React Web project?
- Sign in to Azure Account from VS Code
- How to copy blobs from azure to aws using python?
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- how to mask hash users into random values [email protected] in azure databricks
- Can we use PostgREST API with Azure
- Bicep adding DNS Records saying already exists when it doesn't
- Issue in sending personal message in MS Teams with Graph API
- import files to databricks workspace
- Create an Api connection to log analytics workspace via bicep
- az funcapp publish .net8 Isolated breaking Azure configuration runtime settings on Sync