Open mariussm opened 1 year ago
Micke-K
commented
1 year ago Hello!
I actually think I tested that at some point but removed it due to security concerns.
Can they add you as a guest? Then you just enable "Get Tenant List" in Settings and the swap between the tenants you have access to. That would be the recommended way.
Cheers!
mariussm
commented
1 year ago As a managed service provider, we have very good control over service principals and key rollover, so we have no concerns at all with it. Being added as a guest quickly becomes unmanageable when having many customers, especially for automated onboarding of customer and joiner/leaver process for our operators. Using a multi tenant app we can simply tell the customer "consent to this", and we are done - while with guests we need full life cycle management which quickly becomes hopeless.
Micke-K
commented
1 year ago Hello!
So if I understand this correctly, you want to creat a Multi Tenant App. Customers then approve the app. And then? How do you get access to customer data without them creating a service principal with a secret/certificate? I haven't work with this more than the multi tenant PowerShell app but it's only used as the sign-in app with tenant id and user credentials or a tenant specific Azure App with secret/certificate in a batch job scenario.
I've been super busy the last months so I haven't had much time to spend on the project. I have a few other things I need to add first before I can have a look at this.
Cheers!
mariussm
commented
1 year ago The multi tenant app registration has the secret/certificate and is what is used to sign into the customer tenant after being consented to. That's how multi tenant app registrations work (when using client credentials). The whole point of a multi tenant app is that the app secret/cert is managed on the side where the app registration is, while it will be a service principal in every tenant is is consented into. That means a single multi tenant app, and a single clientid/secret can be used to access 100 tenants. The service principal in each tenant will have the same "clientid", but a different objectid.
Micke-K
commented
1 year ago So that should be no problem then. Does the app in the original tenant know which tenants it has been approved in? Because the app needs to know which tenants it can swap between.
So the batch job already supports this scenario?
Cheers!
mariussm
commented
1 year ago No, the app does not know that unfortunately. Without deep testing I believe so yes, because one needs to provide the tenantid when running. I have not tested to well here yet. :)
Micke-K
commented
1 year ago Hello Sorry for very long delay but I included this in 3.9.2. At least partially. It now supports login with app but not sure how to swap between tenants in a good way.
Please let me know if you test or have any ideas how you would like it to work.
Cheers!
As far as I can tell, it is not currently working to sign in as a service principal / application in interactive mode. Any reason for this, as it is supported for silent mode?
I would really like to avoid maintaining a gazillion user accounts in customer tenants. :)