stackoom
  简体   繁体   中英

Azure Active Directory Invitation Manager, register user in another tenant

 原文  2017-11-03 18:06:55       azure/ azure-active-directory

Question

What I am trying to do is to automate the process of adding a new user to an Azure Active Directory of a tenant (the tenant is supplied as a parameter).

For this, I understood that I must use Azure AD B2B collaboration. The official sample for automating this process is provided by Microsoft at this link:

https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web

So, using the Invitation API (which is available here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/invitation_post ), I programatically send an invitation mail to an email that I want to register.

The problem is that the user which will be registered with that email, will be registered within the tenant in which the application was configured.

For example I am using the tenant name X, to configure my application in the Azure Active Directory Portal. What I see is that I can only invite emails to register within my tenant named X.

What if I want to register an email within another tenant, tenant which I know beforehand?

Can the invitation Api specify in which tenant I want to register an email, without having the application registered in that tenant?

Because if I can't, I would have to register the application in all the tenants, and then apply logic in the code to link the Client ID and Client Secret to the correct tenant.

1 answers

solution1
 0  2017-11-03 19:11:06

If I have understood your question correctly, you need a multi-tenant app.

When you get an access token for Microsoft Graph API, it will always target a specific tenant.

In order to get an access token which targets another tenant, you must:

  1. Make your app multi-tenant: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
  2. An admin from the other tenant must perform a sign up, which asks them for consent to the permissions your app requires
    • This usually means a redirect to the login page with prompt=admin_consent in the query
  3. After they consent, a service principal will be created in their tenant, and they are redirected back to your app as usual
  4. Now you can get an access token targeting their tenant and use it to call Graph API

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Clone Azure active directory settings to another AD (tenant to tenant migration)? How to migrate Applications in Azure Active Directory to another Tenant How to query another Azure Active Directory tenant from Graph Explorer Azure Active Directory Multi-tenant: User doesn't exist in tenant How do I register an app in client's active directory using my multi tenant app in microsoft azure? Azure Active Directory - get tenant list Login in with external tenant, Azure active directory Azure Active Directory | Multi-tenant Application Azure Active Directory B2C Tenant Sync with Azure Active Directory with a multi-tenant app (receiving user notifications)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM