Azure Ad multitenant applications registration with client credentials flow

Question

Lets assume I have a service in tenant A which should consume API from a service registered in tenant B. As per Microsoft guides, I should:

1. register serviceA in tenant A
2. register serviceB in tenant B
3. expose API of serviceB
4. create a couple of appRoles in serviceB
5. register serviceB in tenantA by executing following get request: https://login.microsoftonline.com/{tenantA-id}/v2.0/adminconsent?client_id={serviceB-id}&scope={serviceA-id}/.default
6. serviceB should appear in Enterprise Application blade which is ok.
7. add permissions from serviceB to serviceA

In this schema I see two weird things. First one is the token obtaining process. Since serviceA app is not registered in tenantB, serviceA cannot obtain roles in token in tenantB directory.

Also I dont see any tenantBs' admin consents in this flow. The problem is tenantAs' admin could add serviceB approles to his app without tenantA admin acceptance which is weird in my opinion.

The only way to obtain token for serviceA in tenantB with roles is to add serviceA in tenantB. So both apps should be in Enterprise Applications blade of both tenants. Or I took a wrong turn somewhere?

Answer 1

You need to:

1. Create/add a servicePrincipal for serviceA in tenantB in order to assign it appRoles in serviceB.
2. Consent serviceA with scope serviceB/.default in tenantA