MS Graph API 多租户权限

Question

We have an web application that use Graph APIs, we granted it application permissions in app registration. Now we want to put the application to Microsoft App Source, is it possible to allow user of other tenants to use the permission of the app registration in our tenant? For example, one of the APIs is for creating calendar event to some users in this tenant, if use multi-tenant app registration, can people from other tenant create calendar event in their tenant successfully?

Answer 1

if use multi-tenant app registration, can people from other tenant create calendar event in their tenant successfully?

Agree with @Tiny Wang, Yes we can do this, the multi-tenant Azure AD app should obtain authorization from other tenants, and when other tenants wish to create calendar events in their own tenant, they should specify their own tenant id when generating access tokens.

You can implement Get access without a user and use Application permission to access for create calender event.

Make sure that we need to get administrator consent for each tenant where we need to access.

For example if one app is registered in TenantA . And you want to access for create calender event in TenantB . Then we need to do admin consent as mentioned below and Log in with an admin account of TenantB to do the admin consent for TenantB

To access the following url in a browser.

https://login.microsoftonline.com/{TenantB}/adminconsent
?client_id={ app registered in TenantA}
&state=12345
&redirect_uri={app registered  in TenantA}

Then we will get an access token to create an calender event for the tenant B.

For more information please refer the below links:

SO THREAD | Error trying to access other tenant users calendars, using MS Graph API & Multi tenant support for Microsoft Graph API