Grant service principal access to application in other tenant

Question

I have an Azure AD service principal in one tenant (OneTenant) that I would like to give access to an application in another tenant (OtherTenant).

The service principal in tenant OneTenant is a managed service identity for an Azure Logic App. So what I actually want is to call an API from my Logic App. This API is protected by an Azure AD application in OtherTenant.

The application in OtherTenant defines a number of roles and the service principal in OneTenant should have one of these roles so it can call the API.

I tried the following:

• set the app in OtherTenant to multi-tenant

• ran the following PS command to attempt to add the SP to a role in the app:

  New-AzureADServiceAppRoleAssignment `
    -ObjectId <object-id-of-sp-in-one-tenant> `
    -Id <role-id> `
    -PrincipalId <object-id-of-sp-in-one-tenant> `
    -ResourceId <app-id-in-other-tenant>
  

  (both logged in in OneTenant and OtherTenant)

  This gives an error stating that either app-id-in-other-tenant or object-id-of-sp-in-one-tenant can not be found, depending on where I am signed in.

I also tried creating a Service Principal in OneTenant based on the app-id from OtherTenant In that case I get an error message: Authenticating principal does not have permission to instantiate multi-tenantapplications and there is not matching Applicationin the request tenant.

Answer 1

Ok, I finally got around to testing if the solution presented by Rohit Saigal works. It does point in the right direction but is not complete.

First step is to create a service principal in OneTenant that represents the application in OtherTenant. So while signed in to OneTenant, run the following script:

$spInOneTenant = New-AzureADServicePrincipal -AppId <app-id-in-other-tenant>

Next step is to run the New-AzureADServiceAppRoleAssignment cmdlet with the following parameters:

New-AzureADServiceAppRoleAssignment `
    -Id <role-id> `
    -ObjectId <object-id-of-sp-in-one-tenant> `
    -PrincipalId <object-id-of-sp-in-one-tenant> `
    -ResourceId $spInOneTenant.ObjectId

The trick is to use the object id of the service principal you created in the previous step as the ResourceId.

Answer 2

Taking the command as is from your question:

New-AzureADServiceAppRoleAssignment `
  -ObjectId <object-id-of-sp-in-one-tenant> `
  -Id <role-id> `
  -PrincipalId <object-id-of-sp-in-one-tenant> `
  -ResourceId <app-id-in-other-tenant>

Try changing the last parameter value i.e. ResourceId

Currently you're passing <app-id-in-other-tenant>

Replace that with <object-id-of-API-in-other-tenant>