This guide provides a step-by-step tutorial on configuring cross-tenant access between two existing Azure Active Directory (Azure AD) applications. Specifically, it details how a user from Tenant 1 can access an application hosted by Tenant 2 using OpenID Connect (OIDC) protocols.
- Administrative Access: Ensure you have administrative privileges in both Tenant 1 and Tenant 2.
- Existing Azure AD Applications: Both tenants should have their applications registered in Azure AD.
- Familiarity with Azure Portal: Basic understanding of navigating and configuring settings within the Azure portal.
The configuration involves two primary flows:
- Administrative Trust Configuration: Administrators from both tenants establish a mutual trust relationship to allow cross-tenant access.
- User Authentication via OpenID Connect: Once trust is established, users from Tenant 1 can authenticate and access the application in Tenant 2.
sequenceDiagram
%% Flow 1: Administrative Trust Configuration
participant Tenant2Admin as Tenant 2 Administrator
participant Tenant1Admin as Tenant 1 Administrator
participant App2 as Application (Tenant 2)
participant App1 as Application (Tenant 1)
Tenant2Admin->>Tenant1Admin: Request to Establish Trust
Tenant1Admin->>App1: Configure Outbound Access to Tenant 2
Tenant2Admin->>App2: Configure Inbound Access for Tenant 1
App1->>App2: Establish Trust Relationship
%% Flow 2: User Authentication via OpenID Connect
participant User
participant Browser
User->>Browser: Navigate to Application URL
Browser->>App2: Request Access
App2->>App2: Determine User's Home Tenant
App2->>App2: User Belongs to Tenant 1
App2->>Browser: Redirect to Tenant 1 Application for Authentication
Browser->>App1: Authentication Request
App1->>Browser: Present Login Page
Browser->>User: Display Login Page
User->>Browser: Submit Credentials
Browser->>App1: Forward Credentials
App1->>App1: Authenticate User
App1->>Browser: Issue Authorization Code
Browser->>App2: Redirect with Authorization Code
App2->>App1: Exchange Code for Tokens
App1->>App2: Issue ID Token and Access Token
App2->>App2: Validate Tokens
App2->>Browser: Grant Access to Application
Browser->>User: Display Application Content
This guide outlines the steps to configure cross-tenant access between two existing Azure Active Directory (Azure AD) tenants, enabling users from Tenant 1 to access applications in Tenant 2.
- Administrative Access: Ensure you have administrative privileges in both Tenant 1 and Tenant 2.
- Azure AD Premium P1 or P2 Licenses: Required for configuring cross-tenant access settings.
a. Access Cross-Tenant Access Settings in Tenant 2
- Sign in to the Microsoft Entra admin center as a Security Administrator.
- Navigate to Identity > External Identities > Cross-tenant access settings.
b. Add Tenant 1 as an External Organization
- Under Organizational settings, select Add organization.
- Enter Tenant 1's domain name or tenant ID and select Add.
c. Configure Inbound Access Settings
- With Tenant 1 selected, go to the Inbound access tab.
- Set the access status to Allow access.
- Specify which users, groups, or applications from Tenant 1 can access resources in Tenant 2.
- Under Trust settings, choose whether to trust multifactor authentication (MFA) and device claims from Tenant 1.
d. Save the Configuration
- Click Save to apply the inbound access settings for Tenant 1.
a. Access Cross-Tenant Access Settings in Tenant 1
- Sign in to the Microsoft Entra admin center as a Security Administrator.
- Navigate to Identity > External Identities > Cross-tenant access settings.
b. Add Tenant 2 as an External Organization
- Under Organizational settings, select Add organization.
- Enter Tenant 2's domain name or tenant ID and select Add.
c. Configure Outbound Access Settings
- With Tenant 2 selected, go to the Outbound access tab.
- Set the access status to Allow access.
- Specify which users, groups, or applications from Tenant 1 can access resources in Tenant 2.
- Under Trust settings, configure any necessary settings related to MFA and device compliance.
d. Save the Configuration
- Click Save to apply the outbound access settings for Tenant 2.
a. Convert Applications to Multitenant (if necessary)
- For each application in both tenants, navigate to Azure Active Directory > App registrations > Your Application > Authentication.
- Under Supported account types, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- Save the changes.
b. Update Redirect URIs
- Ensure that the redirect URIs in both applications are correctly configured to handle authentication responses.
- This typically involves specifying the appropriate URLs where authentication tokens should be sent after a user signs in.
a. User Initiates Access
- A user from Tenant 1 navigates to the application URL hosted by Tenant 2.
b. Authentication Flow
- The application in Tenant 2 identifies the user's home tenant and redirects the user to Tenant 1 for authentication.
- Upon successful authentication, the user is redirected back to the application in Tenant 2 with the necessary tokens.
c. Access Granted
- The application in Tenant 2 validates the tokens and grants the user access to the requested resources.
- Cross-tenant access overview - Microsoft Entra External ID
- OpenID Connect on the Microsoft identity platform
- Convert single-tenant app to multitenant on Microsoft Entra ID
By following these steps, you should be able to establish cross-tenant access between your Azure AD tenants, enabling seamless collaboration and resource sharing.