从单租户到多租户的迁移.如何在Azure中访问多租户数据? [英] Single Tenant to Multi Tenant migration. How to access multi-tenant data in Azure ?

问题描述

我有一个客户端应用程序(守护程序服务)，该应用程序检查单个租户邮箱中是否存在用户.
我使用 client_credenatials 身份验证机制(证书)与Azure中已注册的应用进行通话
在应用程序中，通过授予权限按钮在管理过程中，管理员还通过Azure授予了图形访问用户详细信息的权限，因此无需用户干预.


token_url -https://login.microsoftonline.com/{tenant_id}/oauth2/token
发布请求数据= {
            '资源':https://graph.microsoft.com/，
            'client_id':client_id，
            'client_assertion_type':'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'，
            'client_assertion':assertion()，
            'grant_type':'client_credentials'
        }

断言值是此标头和有效负载的rsa签名值

client_assertion_header = {
            'alg':'RS256'，
            'x5t':指纹，
        }
client_assertion_payload = {
    'sub':client_id，
    'iss':client_id，
    'jti':GUID，
'exp'  :ten_mins_from_now， 
'nbf':现在，
'aud':token_url
}


对于单租户，一切正常，因为我会知道租户ID(我在令牌url中明确设置了租户ID，并在图API调用中使用获得的承载)!! 
现在，我需要将此应用程序转换为访问多租户(多个租户)的用户.用户可以位于租户A或租户B中
对于我的客户端应用程序，在多租户的情况下，我只会知道用户ID(而在进行令牌访问时，我不会知道租户ID).

注意事项
1.我是两个租户的管理员.
2.无需用户干预，应在Azure门户本身中给予同意(不能基于用户登录).
3.我只能使用客户端凭据身份验证流，因为客户端应用程序作为守护程序服务运行

I have an client app (daemon service) which checks if user exists from single tenant mailbox.
I use client_credenatials auth mechanism (certificate) to speak to registered app in Azure
Graph permission to access user details is also given in Azure by admin during app registration by grant permission button, so there is no user intervention for consent.


token_url -https://login.microsoftonline.com/{tenant_id}/oauth2/token
post request data  = {
            'resource': https://graph.microsoft.com/,
            'client_id': client_id,
            'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
            'client_assertion': assertion(),
            'grant_type': 'client_credentials'
        }

assertion value is rsa signed value of this header and payload

client_assertion_header = {
            'alg': 'RS256',
            'x5t': thumbprint,
        }
client_assertion_payload = {
    'sub': client_id,
    'iss' : client_id,
    'jti' : GUID,
'exp'  : ten_mins_from_now, 
'nbf' : now,
'aud' : token_url
}


For single tenant everything works perfect as i would be knowing tenant id (i explicitly set the tenant id in token url and use obtained bearer in graph api call ) !! 
Now i need to convert this application to access user of multi-tenant (more than one tenant) . User can be in tenant A, or Tenant B
With respect to my client app i'll be knowing only user id (and not tenant id when i make token access call) in case of multi-tenant.

Things to keep in mind
1. I am admin of both tenant. 
2. There is no user intervention, consent should be given in Azure portal itself (cannot do based on user sign in).
3. I can use only client credentials auth flow as client app runs as daemon service

我尝试将aplication标记为多租户并访问/common端点的令牌.但是获得的令牌不能用于图形api调用，它的抛出 无法确定调用应用程序的身份.

I tried marking aaplication as multitenant and accessing token for /common endpoint. But obtained token cannot be used for graph api call , its throwing The identity of the calling application could not be established error.

我认为这是因为图不知道应将呼叫路由到哪个租户，所以我认为它给出了错误

I think this is because graph would not know to which tenant it should route call to , so i think it's giving error

我不确定我的应用程序是否属于多租户类别.
有人可以帮我继续进行吗?我可以在清单文件中做什么?以及任何示例实现！

I am not sure if my application belongs to multi-tenant category.
Can someone please help me on how to proceed ?  Anything i can do in manifest file ? As well as any sample implementation !

推荐答案

这似乎最好放在AAD论坛中.您能验证您没有使用Azure API应用吗?

It appears this would be better placed in the AAD forum. Can you please verify that you are not using an Azure API app?

我们期待您的答复.

这篇关于从单租户到多租户的迁移.如何在Azure中访问多租户数据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！