Root tenant selected in multi-tenant user profiles

[allfro]

The script should ask for the Tenant ID of the tenant where resources are being created instead of defaulting to the root tenant. Say for example users belong to multiple tenants in azure and they want to select the one that is not their home directory.

[mrochon]

I am not clear on what you mean. One AAD tenant controls a subscription in which the web app service (plan) is created. It may or may not also own the B2C tenant as a resource. A user in that AAD tenant (member or guest) with ability to create such resources needs to signin to the Connect-AzAccount prompt. Connect-AzureAD and the Msal-GetAccess token requires a sign in with a user who can create apps, IEF and keys in the B2C tenant. I generally use one user, usually a member of the AAD owning the subscription, which is then invited to the B2C tenant and given admin privileges. Note that I have now added Get-Credential command which assumes that the user signing in to AAD and to B2C are the same user. Remove it and references to $creds if you want to signin to each resource separately.

[allfro]

Assume you have a user who has access to the following Tenants as Global Admin:

ACME Prod - ACME Lab - ACME Lab (B2C)

If I want to target deployment for the ACME Lab tenant then your script doesn't account for that because it will fall back to 'ACME Prod' without the -TenantId parameter in Connect-AzAccount command. By adding the -TenantId parameter everything works as intended.

[mrochon]

Ah, got it. The issue is that my Connect-AzAccount assumes you want to deploy to the default subscription associated with the signin account. I think even if I add the tenantId, it wil still deploy to the default subscription attached to that tenant, while you may have more. Gets complicated. Will need to have a look. Thanks for raising this.