We are using service principal to connect our Azure tenant with our customer’s tenant. To create the service principal in customer’s tenant, we need global admin of the customer’s AD tenant to approve and create the service principal. We are trying to find a way to accomplish this without using global admins involvement. The solution can involve few manual steps which can be done at customer’s end.
Thanks Allen. Appreciate the quick response. Actually I did not put the full requirement correctly. Here is one more addition. Thanks!!!
Screenshot: Access Grants
The service principal requires delegated access to APIs as shown in the diagram. That appears, that it can be granted by global admin. Can any other user(s)/ roles can do this? What is the best practice for this. We are trying to avoid to have a global admin to do this all the time and wanted to have someone in the project team to own this process.
Appreciate any insights.
You could ask an admin of your customer's tenant to configure the User settings.
Please refer to this document.
Check the App registrations setting. This value can only be set by an
administrator. If set to Yes, any user in the Azure AD tenant can
register an app.
Then you could use a non-admin account to create the service principal.
UPDATE
I'm afraid that you have to use a global admin to do the admin consent because the permissions are for the entire tenant.
I don't think a global admin need to do this all the time. Every time new permissions are assigned to your app, administrator consent is required.
Related
Is it possible to allow all users in a specific AAD tenant to access an app?
Something like a tenant trust. Tenant 1 trusts Tenant 2 and I can add 'tenant2\AllUsers' to a permission.
I want to allow all users of a partner tenant (current and future) to be able to access a SharePoint site and a few other apps.
I've looked at B2B but it requires invitations which is hard to manage at scale.
Entitlement management looks nice but requires P2 licenses and has lots of capabilities we just don't need.
Does anyone have a simple way to do a 'tenant trust'? Am I missing something?
Firstly, you have a misunderstanding of "tenant trust".
When we say tenant trust, it means the tenant trusts an app and then the app can access the data of that tenant. There is not a way to make a tenant trust another tenant.
Anyway, using the official admin consent URL you can grant admin consent for a whole tenant to an app.
See Construct the URL for granting tenant-wide admin consent.
https://login.microsoftonline.com/{tenant-id of partner tenant}/adminconsent?client_id={client-id}
Sign in with an admin account from partner tenant and do the admin consent. Then all users from partner tenant can sign in to this app.
For SharePoint user case, you can take advantage of self-enroll service. Please refer to Use SharePoint as a business-to-business (B2B) extranet solution and Create a B2B extranet with managed guests.
We are trying to integrate Onedrive with a WebApplication. Intent is to get the content from Onedrive into WebApplication on any event.
We are able to integrate and using the "APP Register" in Azure Active Directory and configuring with Graph API for delegation and then using the client id, client secret and tenant id from WebApplication.
Here, I would like to understand, Is it possible for us to create an app on our azure subscription and have a way for others (other companies/clients) to install it on their azure system using OAuth process in order to avoid any creation of app and sharing other details.
Please let me know if the query is clear or not. If not, I will explain more in detail.
Thanks
Sakti
Yes, you can share your application with other organizations, you only need to change your application to a multi-tenant application, because changing the application to multi-tenant application allows any tenant to log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.
However, you need to note that after sharing your application, the permissions granted to it in the original tenant will not exist. If you need the application to access the resources of other company tenants, you must request the other company's IT to grant similar access permissions.
My AD tenant has user consent disabled, i.e., all permissions added to AD app registration need an admin consent.
For an application using static permissions/scopes (v1.0 OAuth/OpenId endpoint), is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Microsoft docs say: "The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources." Does it mean that for my scenario, all users need to wait for admin consent before they can access the app?
I receive the below error when a user tries logging in to the app using the Open ID Connect flow. For reference, my login URL is similar to https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=id_token&client_id=b8ad6a99-cd23-40a6-a1b4-1184af990aa2&redirect_uri=https%3A%2F%2Flocalhost%2F&state=13ccfb84-cfd1-4cb0-bfe3-bb2c227e19f7&client-request-id=4d76947a-0000-48af-aeff-7bc2d5e40000&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=ef1caa16-d3fe-4523-a9c9-000000000000
is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Yes, you can.
When the admin consent the API permission of an AD App(App registration), the permissions essentially will be given to the service principal(Enterprise application) in your AAD tenant. Actually if you use the AD App in your tenant, the permissions are essentially from the service principal.
You could refer to the screenshot below, there are four permissions, the two permission has been granted.
Navigate to the Overview, click the option Manage application in local directory.
Then in the Permissions, you will find the two permissions which have been consent.
When you add the new scopes, the app will keep working, but it will only be able to access the old scopes until the admin consents to the new scopes.
Thanks!
Alex Simons
When registering a native application on the Azure AD 1.0 endpoint, and assigning Graph API permissions, it seems like consented permissions are 'cached' somewhere and can't be managed properly.
Example scenario:
Application registered and permission scopes (incl. ones requiring admin consent) assigned.
Administrator consents to the permission scopes
Simple user can use the app with consented permissions.
Permission scopes change (adding a new one for example)
Same admin doesn't get the consent form anymore
Simple user is stuck with "consent required, have an admin account?"
Another global admin must use the app for the first time to trigger the consent page.
Note that #7 doesn't always work; even if the other admin provides consent, simple users can't get through sometimes.
This is a multi-tenant application, yet when start using it in another tenant, I can not see its consented permissions in the AAD portal under enterprise applications.
Shouldn't permissions that have been consented to be listed in other tenants so that the admin can at least see what has been consented to?
Also, when I register an app on the V1.0 endpoint in my own tenant, I have an option to 'grant permissions' centrally, from the Azure AD portal for my tenant.
This option isn't available if I'm looking at an application that was registered in another tenant.
Am I overlooking something? Any help much appreciated.
When you change permissions, it does not automatically re-consent (for user or admin). You can find a detailed overview of this at Understanding user and admin consent.
You'll first need kick off the Admin Consent workflow. For a multi-tenant app this is done by adding prompt=admin_consent to your OAUTH URL and having an Admin authenticate.
Once that is done you can also force existing users to re-consent as well by adding prompt=consent to your Auth URL.
As you can see from the image, it's not letting regular users login to the application. How do I bring down this access to members? This is an azure active directory application. I can login just fine with an admin user but my regular accounts gets blocked. Note, I created the application with the regular account. I don't suppose this has something to do with it?
I've granted the app all delegated permissions. No application permissions though. I'm thinking there's something in the manifest I need to alter but I'm not sure and I've never messed with this before. So any help is appreciated.
You likely need to perform admin consent for the application. There are two ways to do this in Azure AD:
In the Azure portal, you can go into the App Registrations blade, then click on the App, click on Permissions, and hit Grant Permissions.
Construct a request to Azure AD with the extra parameter &prompt=admin_consent.
For example:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<AppID>&resource=<Resource App ID URI>&response_type=code&redirect_uri=<Redirect URI>&prompt=admin_consent