Questions around Entra External ID and deploying resources
I am currently evaluating Entra External ID to use in a Blazor WASM app calling my own Web API scenario. The authn/authz parts are now all in place, however I can't seem to figure out on how to move on from here.
I am given some details about my account setup, in case this might be helpful in answering:
Using my @outlook personal account, I have created a personal PAYG Azure subscription.
Added a user admin@mainTenant, promoted this to Global Administrator
Using above user @ https://entra.microsoft.com I have created a customer tenant. There, the two app registrations have been configured to work with my apps.
In my subscription@mainTenant, I have linked the subscription for use with External Identities
I am now unclear on how to proceed. Although linking has taken place, I am unable to deploy anything in the customerTenant because the portal says I have no subscription. But even if there was, should I deploy there? I have my doubts somehow.
I would prefer to deploy infrastructure in my mainTenant, i.e. an Azure Static Web App for Blazor WASM and a App Service for the API. But then I would reference app registrations from another tenant, i.e. my customerTenant, will that work?
As part of my API backend code, I need to interact with the MS Graph API to edit customer user data. I would like to authorize the managed identity of the App Service, however, the permissions I would need to grant would also be scoped to data that lives in the other tenant (the user objects of Entra External ID).
What's even more confusing is, that when logged in with my personal @outlook account that created my initial subscription in the first place, I am not even able to see the other tenant, neither in the portal, nor at https://entra.microsoft.com
All in all, I have the feeling I have misconfigured something. Definitely, I don't have a clear enough concept of how all these parts are supposed to play together.
All the steps you did to create and configure your Microsoft Entra External ID instance are correct. Subscription is only required when you want to have Identity Protection access. Under this link you can find detailed information about configuration and free trial too.
Subscription linking is used because in the future there will be “monthly active users (aka MAU)” pricing model and you will pay for the active users above specific threshold.
However, your Azure subscription is still under your main Microsoft Entra ID tenant, not the Microsoft Entra External ID tenant. You only linked Entra External ID to existing subscription for the billing purposes. You should deploy all your resources using the main Microsoft Entra ID tenant connected with your Azure subscription. You cannot deploy Azure resources under Microsoft Entra External ID tenant. This is why you see the error in the portal.
Now, when it comes to app registrations, access to Microsoft Graph API, managed identities. When you deploy your applications to let’s say Azure Web App, you can enable system-assigned managed identity for this service. You can have then Azure Key Vault, where you store Client ID and Client Secret of the application registered in the CIAM (MS Entra External ID) tenant. There is no way to use managed identity directly to call another tenant’s resources in this case. The typical approach is to create app registration in your MS Entra External ID tenant, and use client ID with certificate. With these credentials you can authenticate with MS Graph API, and then call endpoints responsible for returning information about users stored in your MS Entra External ID tenant.
To summarize. To communicate between Azure resources deployed under subscription connected to your main Microsoft Entra ID tenant (workforce one, not customer one) you can configure manage identities and use RBAC (Role Based Access Control) to grant access. For instance you can grant your Azure Web App permission to get secret from the Azure Key Vault.
On the other side, if you need to authenticate users accessing your application hosted on Azure Web App, you have to use app details from the Customer tenant (like Client ID). If you need to access your users data from the MS Entra External ID, you have to first authenticate with Microsoft Graph API. This is what you typically do on the backend side (like in ASP .NET Core API). Here you store securely your backend app registration details like Client ID, and Client Secret and you grant specific MS Graph permissions to your app under “Permissions” section in MS Entra for customers tenant.
You also mentioned that you cannot see other tenant. In the MS Entra Admin Center please use "gear" icon to see the list of all tenants. You should see your two tenants - the standard one and one for customers. I attach image to make it easier.
Please let me know if this clarified a bit. I am happy to provide more details to help.
- Deploy filtered metrics on Azure dashboard with Bicep
- IAsyncEnumerable JSON streaming is not streaming on azure web app running on IIS
- node-fetch azure document translator
- Need help getting Azure AD B2C SSO with Azure AD
- Unable to get all users from Microsoft Graph using Python SDK
- You need to ensure that WebApp1 uses the ASP.NET v4.7 runtime stack
- MS Graph API - How to query additional pages
- how to hash users into random values in azure databricks
- How can I manage Azure SQL user/login/credentials
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- AVD Insights Host Performance Blade Empty after vhange to new Azure Monitoring Agent
- How to get a list of users from azure graph API
- Azure App Service Flask Deployment Error: "Failed to Respond to HTTP Pings on Port 8000; Site Start Failed. Check Container Logs for Debugging."
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
- Can you publish a new standalone Angular project (esproj) directly from VS2022 to Azure?
- Cors configuration
- Publish error: Found multiple publish output files with the same relative path
- remove event subscriptions from system topics
- Is it possible to use .env in a React Web project?
- Sign in to Azure Account from VS Code
- How to copy blobs from azure to aws using python?
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- how to mask hash users into random values [email protected] in azure databricks
- Can we use PostgREST API with Azure
- Bicep adding DNS Records saying already exists when it doesn't
- Issue in sending personal message in MS Teams with Graph API
- import files to databricks workspace
- Create an Api connection to log analytics workspace via bicep
- az funcapp publish .net8 Isolated breaking Azure configuration runtime settings on Sync