I have a web app hosted in azure with managed identity enabled on it. I also have a b2c tenant, in which I registered that application and granted it permissions to list all users.
If I'm using the combination of clientId, tenantId and clientSecret - I can call the GraphServiceClient and get users. But if I'm specifying DefaultAzureCredentials - then it looks like it can't validate the access.
I would really like to avoid the manual client secret rotation, so is there a way to make DefaultAzureCredentials to work? It seems like I missed some assignment IAM, bot there is no GraphApi-related roles. It's also not helping that b2c tenant manager is a separate window with its own UI.
Searching the internet I saw a mention of service-to-service authorization, where having Azure AD we register both app and B2C in there... but may be there is a better way? It should be, at least.
Thank you in advance.
As Per december 2023, this is not supported as managed identities belong to only one tenant:
Can I use a managed identity to access a resource in a different directory/tenant?
No. Managed identities don't currently support cross-directory scenarios.
Additonally I looked into federated identity credentials which should theoretically enable this scenario but it is not supported as well:
Microsoft Entra issuers aren't supported
Applies to: applications and user-assigned managed identities
Creating a federation between two Microsoft Entra identities from the same or different tenants isn't supported. When creating a federated identity credential, configuring the issuer (the URL of the external identity provider) with the following values isn't supported:
- *.login.microsoftonline.com
- *.login.windows.net
- *.login.microsoft.com
- *.sts.windows.net
While it's possible to create a federated identity credential with a Microsoft Entra issuer, attempts to use it for authorization fail with error
AADSTS700222: AAD-issued tokens may not be used for federated identity flows.