Multi tenant app to app authorization using AAD












0















I have a service registered as a multi-tenanted Web API in an AAD tenant “A”. And a client registered as a web app in a different AAD tenant “B”. The question is, whether do I need any additional configuration on Azure portal in order for the client app in tenant “B” to successfully access the web API in the tenant “A” (app to app authentication) ? Does AAD support such scenario? Currently, I get Unauthorized status code as response from the service when the service is deployed to Azure.



The service in tenant A doesn’t show up when I try to manually manage permissions for the client app in tenant B. Is this step necessary or am I missing some config set up?



enter image description here



The service is built on asp.net MVC application and it uses JWT bearer authentication scheme. The client successfully acquires its token from its own AAD tenant. So it doesn't seem like an authentication issue. On the service side, I have added the client's tenant to be one of the valid token issuers as well.



I'm not sure if a service principal for the service app is created in the client's tenant automatically (the consent page has never showed up so far).






azure azure-active-directory multi-tenant azureportal







share|improve this question



























    0















    I have a service registered as a multi-tenanted Web API in an AAD tenant “A”. And a client registered as a web app in a different AAD tenant “B”. The question is, whether do I need any additional configuration on Azure portal in order for the client app in tenant “B” to successfully access the web API in the tenant “A” (app to app authentication) ? Does AAD support such scenario? Currently, I get Unauthorized status code as response from the service when the service is deployed to Azure.



    The service in tenant A doesn’t show up when I try to manually manage permissions for the client app in tenant B. Is this step necessary or am I missing some config set up?



    enter image description here



    The service is built on asp.net MVC application and it uses JWT bearer authentication scheme. The client successfully acquires its token from its own AAD tenant. So it doesn't seem like an authentication issue. On the service side, I have added the client's tenant to be one of the valid token issuers as well.



    I'm not sure if a service principal for the service app is created in the client's tenant automatically (the consent page has never showed up so far).






    azure azure-active-directory multi-tenant azureportal







    share|improve this question

























      0












      0








      0








      I have a service registered as a multi-tenanted Web API in an AAD tenant “A”. And a client registered as a web app in a different AAD tenant “B”. The question is, whether do I need any additional configuration on Azure portal in order for the client app in tenant “B” to successfully access the web API in the tenant “A” (app to app authentication) ? Does AAD support such scenario? Currently, I get Unauthorized status code as response from the service when the service is deployed to Azure.



      The service in tenant A doesn’t show up when I try to manually manage permissions for the client app in tenant B. Is this step necessary or am I missing some config set up?



      enter image description here



      The service is built on asp.net MVC application and it uses JWT bearer authentication scheme. The client successfully acquires its token from its own AAD tenant. So it doesn't seem like an authentication issue. On the service side, I have added the client's tenant to be one of the valid token issuers as well.



      I'm not sure if a service principal for the service app is created in the client's tenant automatically (the consent page has never showed up so far).






      azure azure-active-directory multi-tenant azureportal







      share|improve this question














      I have a service registered as a multi-tenanted Web API in an AAD tenant “A”. And a client registered as a web app in a different AAD tenant “B”. The question is, whether do I need any additional configuration on Azure portal in order for the client app in tenant “B” to successfully access the web API in the tenant “A” (app to app authentication) ? Does AAD support such scenario? Currently, I get Unauthorized status code as response from the service when the service is deployed to Azure.



      The service in tenant A doesn’t show up when I try to manually manage permissions for the client app in tenant B. Is this step necessary or am I missing some config set up?



      enter image description here



      The service is built on asp.net MVC application and it uses JWT bearer authentication scheme. The client successfully acquires its token from its own AAD tenant. So it doesn't seem like an authentication issue. On the service side, I have added the client's tenant to be one of the valid token issuers as well.



      I'm not sure if a service principal for the service app is created in the client's tenant automatically (the consent page has never showed up so far).






      azure azure-active-directory multi-tenant azureportal




      azure azure-active-directory multi-tenant azureportal






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 28 '18 at 17:48









      Saipreethi MuthusrinivasanSaipreethi Muthusrinivasan

      575410




      575410
























          1 Answer
          1






          active

          oldest

          votes


















          1














          The scenario is supported.
          You'll just have to consent to the API from tenant B first before it shows up in the list.



          You can define your application permissions on the Web API as normal (check here).



          Then you can go through consent for the API by accessing a URL like this:



          https://login.microsoftonline.com/tenant-b-id/oauth2/authorize?client_id=your-api-client-id&response_type=code&redirect_uri=reply-url-defined-on-api&prompt=admin_consent


          You'll have to replace 3 values there with yours:





          • tenant-b-id: the directory id for tenant B


          • your-api-client-id: The application id/client id of your API in tenant A


          • reply-url-defined-on-api: URL-encoded reply URL defined on your API in tenant A (e.g. https%3A%2F%2Flocalhost%2F)


          That should then result in a service principal getting created in tenant B for the API, allowing you to assign app permissions to apps in tenant B.






          share|improve this answer
























          • I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 19:30











          • The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 20:22












          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53525305%2fmulti-tenant-app-to-app-authorization-using-aad%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          The scenario is supported.
          You'll just have to consent to the API from tenant B first before it shows up in the list.



          You can define your application permissions on the Web API as normal (check here).



          Then you can go through consent for the API by accessing a URL like this:



          https://login.microsoftonline.com/tenant-b-id/oauth2/authorize?client_id=your-api-client-id&response_type=code&redirect_uri=reply-url-defined-on-api&prompt=admin_consent


          You'll have to replace 3 values there with yours:





          • tenant-b-id: the directory id for tenant B


          • your-api-client-id: The application id/client id of your API in tenant A


          • reply-url-defined-on-api: URL-encoded reply URL defined on your API in tenant A (e.g. https%3A%2F%2Flocalhost%2F)


          That should then result in a service principal getting created in tenant B for the API, allowing you to assign app permissions to apps in tenant B.






          share|improve this answer
























          • I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 19:30











          • The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 20:22
















          1














          The scenario is supported.
          You'll just have to consent to the API from tenant B first before it shows up in the list.



          You can define your application permissions on the Web API as normal (check here).



          Then you can go through consent for the API by accessing a URL like this:



          https://login.microsoftonline.com/tenant-b-id/oauth2/authorize?client_id=your-api-client-id&response_type=code&redirect_uri=reply-url-defined-on-api&prompt=admin_consent


          You'll have to replace 3 values there with yours:





          • tenant-b-id: the directory id for tenant B


          • your-api-client-id: The application id/client id of your API in tenant A


          • reply-url-defined-on-api: URL-encoded reply URL defined on your API in tenant A (e.g. https%3A%2F%2Flocalhost%2F)


          That should then result in a service principal getting created in tenant B for the API, allowing you to assign app permissions to apps in tenant B.






          share|improve this answer
























          • I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 19:30











          • The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 20:22














          1












          1








          1







          The scenario is supported.
          You'll just have to consent to the API from tenant B first before it shows up in the list.



          You can define your application permissions on the Web API as normal (check here).



          Then you can go through consent for the API by accessing a URL like this:



          https://login.microsoftonline.com/tenant-b-id/oauth2/authorize?client_id=your-api-client-id&response_type=code&redirect_uri=reply-url-defined-on-api&prompt=admin_consent


          You'll have to replace 3 values there with yours:





          • tenant-b-id: the directory id for tenant B


          • your-api-client-id: The application id/client id of your API in tenant A


          • reply-url-defined-on-api: URL-encoded reply URL defined on your API in tenant A (e.g. https%3A%2F%2Flocalhost%2F)


          That should then result in a service principal getting created in tenant B for the API, allowing you to assign app permissions to apps in tenant B.






          share|improve this answer













          The scenario is supported.
          You'll just have to consent to the API from tenant B first before it shows up in the list.



          You can define your application permissions on the Web API as normal (check here).



          Then you can go through consent for the API by accessing a URL like this:



          https://login.microsoftonline.com/tenant-b-id/oauth2/authorize?client_id=your-api-client-id&response_type=code&redirect_uri=reply-url-defined-on-api&prompt=admin_consent


          You'll have to replace 3 values there with yours:





          • tenant-b-id: the directory id for tenant B


          • your-api-client-id: The application id/client id of your API in tenant A


          • reply-url-defined-on-api: URL-encoded reply URL defined on your API in tenant A (e.g. https%3A%2F%2Flocalhost%2F)


          That should then result in a service principal getting created in tenant B for the API, allowing you to assign app permissions to apps in tenant B.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 28 '18 at 18:07









          juunasjuunas

          23.5k35182




          23.5k35182













          • I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 19:30











          • The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 20:22



















          • I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 19:30











          • The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

            – Saipreethi Muthusrinivasan
            Nov 28 '18 at 20:22

















          I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

          – Saipreethi Muthusrinivasan
          Nov 28 '18 at 19:30





          I was able to add permissions to the Web API from tenant B after following the above steps. However, I still get unauthorized response code. I looked at the client's JWT token, and it doesn't have any scope (scp) field in it. Could this be the issue?

          – Saipreethi Muthusrinivasan
          Nov 28 '18 at 19:30













          The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

          – Saipreethi Muthusrinivasan
          Nov 28 '18 at 20:22





          The consent page lists only permissions to view user profile. It does not list the permission corresponding to the Web api access.

          – Saipreethi Muthusrinivasan
          Nov 28 '18 at 20:22




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53525305%2fmulti-tenant-app-to-app-authorization-using-aad%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Lallio

          Image
          Coordenadas: 45° 40' N 9° 38' E Lallio      Comuna    Lallio Localização de Lallio na Itália Coordenadas 45° 40' N 9° 38' E Região Lombardia Província Bérgamo Área - Total 2 km² Altitude 216 m População  - Total 3 826     • Densidade 1 913 hab./km² Outros dados Comunas limítrofes Bergamo, Dalmine, Stezzano, Treviolo Código ISTAT 016123 Código cadastral E422 Código postal 24040 Prefixo telefônico 035 Website www.comune.lallio.bg.it Lallio é uma comuna italiana da região da Lombardia, província de Bérgamo, com cerca de 3.826 habitantes. Estende-se por uma área de 2 km², tendo uma densidade populacional de 1913 hab/km². Faz fronteira com Bergamo, Dalmine, Stezzano, Treviolo. [ 1 ] [ 2 ] [ 3 ] Demografia | Variação demográfica do município entre 1861 e 2011 [ 3 ] Fonte : Istituto Nazionale di Statistica (ISTAT) - Elabor...
          Read more

          Futebolista

          Image
          Ronaldo primeiro jogador a ser eleito por três vezes o melhor jogador do mundo pela FIFA. Ronaldinho Gaúcho atuando pelo Barcelona onde foi duas vezes eleito o melhor jogador do mundo pela FIFA. Kaká atuando pelo Milan onde foi eleito em 2007 o melhor jogador do mundo pela FIFA. Lothar Matthäus primeiro jogador a ser eleito o melhor jogador do mundo pela FIFA em 1991 pela Inter de Milão. Neymar durante partida contra a Escócia, em 27 de março de 2011. Crianças praticando futebol. Robinho, futebolista brasileiro, em 15 de novembro de 2006. Atletas do Chelsea, da Inglaterra. A venda de camisas com nome e número dos jogadores é uma grande fonte de arrecadação. Jürgen Klinsmann atuou como jogador e foi treinador da Alemanha. Estádio de futebol, principal local onde laboram os jogadores. O jogador de futebol , ou Futebolista , é um atleta profissional de futebol, e cuja prática do desporto coletivo é fundamental. Estes trabalhadores sã...
          Read more

          Jornalista

          Image
          Uma repórter de televisão segurando um microfone na frente de um cinegrafista. Fotojornalistas no Campeonato Mundial de Atletismo 2013 Uma repórter entrevistando Boris Johnson, Prefeito de Londres. Jornalista é o profissional formado em Jornalismo. É a pessoa responsável pela apuração, investigação e apresentação de notícias, reportagens, entrevistas ou distribuição de notícias ou outra informação de interesse coletivo. O trabalho do jornalista é chamado jornalismo. Um jornalista pode trabalhar com questões gerais ou especializar-se em determinadas áreas. No entanto, a maioria dos jornalistas tendem a se especializar, e cooperando com outros jornalistas, produzir publicações que abrangem muitos tópicos. [ 1 ] Por exemplo, um jornalista esportivo cobre notícias dentro do mundo dos esportes, mas este jornalista pode ser uma parte de um jornal que cobre diversos temas. O exercício do Jornalismo é privativo de jornalista. Entre as áreas em que o jornalista trabalha estão o...
          Read more