Questions around Entra External ID and deploying resources

188 views Asked by At

I am currently evaluating Entra External ID to use in a Blazor WASM app calling my own Web API scenario. The authn/authz parts are now all in place, however I can't seem to figure out on how to move on from here.

I am given some details about my account setup, in case this might be helpful in answering:

  • Using my @outlook personal account, I have created a personal PAYG Azure subscription.

  • Added a user admin@mainTenant, promoted this to Global Administrator

  • Using above user @ https://entra.microsoft.com I have created a customer tenant. There, the two app registrations have been configured to work with my apps.

  • In my subscription@mainTenant, I have linked the subscription for use with External Identities

I am now unclear on how to proceed. Although linking has taken place, I am unable to deploy anything in the customerTenant because the portal says I have no subscription. But even if there was, should I deploy there? I have my doubts somehow.

I would prefer to deploy infrastructure in my mainTenant, i.e. an Azure Static Web App for Blazor WASM and a App Service for the API. But then I would reference app registrations from another tenant, i.e. my customerTenant, will that work?

As part of my API backend code, I need to interact with the MS Graph API to edit customer user data. I would like to authorize the managed identity of the App Service, however, the permissions I would need to grant would also be scoped to data that lives in the other tenant (the user objects of Entra External ID).

What's even more confusing is, that when logged in with my personal @outlook account that created my initial subscription in the first place, I am not even able to see the other tenant, neither in the portal, nor at https://entra.microsoft.com

All in all, I have the feeling I have misconfigured something. Definitely, I don't have a clear enough concept of how all these parts are supposed to play together.

I would very much welcome your thoughts on this! Thank you for any input.

1

There are 1 answers

2
Daniel Krzyczkowski On BEST ANSWER

All the steps you did to create and configure your Microsoft Entra External ID instance are correct. Subscription is only required when you want to have Identity Protection access. Under this link you can find detailed information about configuration and free trial too.

Subscription linking is used because in the future there will be “monthly active users (aka MAU)” pricing model and you will pay for the active users above specific threshold.

However, your Azure subscription is still under your main Microsoft Entra ID tenant, not the Microsoft Entra External ID tenant. You only linked Entra External ID to existing subscription for the billing purposes. You should deploy all your resources using the main Microsoft Entra ID tenant connected with your Azure subscription. You cannot deploy Azure resources under Microsoft Entra External ID tenant. This is why you see the error in the portal.

Now, when it comes to app registrations, access to Microsoft Graph API, managed identities. When you deploy your applications to let’s say Azure Web App, you can enable system-assigned managed identity for this service. You can have then Azure Key Vault, where you store Client ID and Client Secret of the application registered in the CIAM (MS Entra External ID) tenant. There is no way to use managed identity directly to call another tenant’s resources in this case. The typical approach is to create app registration in your MS Entra External ID tenant, and use client ID with certificate. With these credentials you can authenticate with MS Graph API, and then call endpoints responsible for returning information about users stored in your MS Entra External ID tenant.

To summarize. To communicate between Azure resources deployed under subscription connected to your main Microsoft Entra ID tenant (workforce one, not customer one) you can configure manage identities and use RBAC (Role Based Access Control) to grant access. For instance you can grant your Azure Web App permission to get secret from the Azure Key Vault. On the other side, if you need to authenticate users accessing your application hosted on Azure Web App, you have to use app details from the Customer tenant (like Client ID). If you need to access your users data from the MS Entra External ID, you have to first authenticate with Microsoft Graph API. This is what you typically do on the backend side (like in ASP .NET Core API). Here you store securely your backend app registration details like Client ID, and Client Secret and you grant specific MS Graph permissions to your app under “Permissions” section in MS Entra for customers tenant. enter image description here

You also mentioned that you cannot see other tenant. In the MS Entra Admin Center please use "gear" icon to see the list of all tenants. You should see your two tenants - the standard one and one for customers. I attach image to make it easier. enter image description here

Please let me know if this clarified a bit. I am happy to provide more details to help.