Introduction and Problem Statement
The goal of this writing is to help walk through and explain how one can establish cross-tenant communication between Microsoft tenants, specifically having an application user in the Power Platform look up to an application registration in a different tenant (in Microsoft Entra ID). If a platform administrator or their customers are unable to find their desired application registration when trying to create an application user in Dynamics 365 (Dataverse) via the Power Platform Admin Center (see here for background around this), then this article is for them. Or for the administratively curious folk, this is for them too.
Real-World Scenario
This seems like a pretty niche situation, right? Here are some examples of when retrieving application across tenant might be needed.
- Government contractors working with agencies or federal organizations
- Software vendors who support and integration multiple client tenants
- Parent company managing subsidiary organizations, or vice versa
Even if one of these situations doesn’t present itself, it’s pretty cool to know anything right? Hashtag the more you know.
Solution
Pre-requisites
- Operating user must be a global administrator with access to both tenants in order to complete this work
- Source Application Registration is created and support account types is set to multi-tenant
To give more context to this solution, imagine we have two tenants
- Tenant ABC (Source)
- Tenant XYZ (Target)
Step 01: Construct Consent URL
As a global admin, one must construct the following URL and add to new window
https://login.microsoftonline.com/{target-tenant-id}/adminconsent?client_id={application-id}
Where target-tenant-id is tenant id from Tenant XYZ and application-id is from source tenant, ABC.
Step 02: Complete Consent
Once the URL from Step 01 is pasted into a new browser window, the user will be prompted to approve the cross-tenant connectivity. This interaction feels and looks similar to a standard Microsoft Authenticator pop-up. If there is no redirect URI setup, the pop-up will hit a dead end after authentication. It’s best to setup a redirect back to the Azure Portal in this situation.
Step 03: Verify Application in Target
User should now be able to see the Application that was created in the source system (tenant ABC) as available in the target tenant XYZ under Microsoft Entra ID -> Enterprise Application. Name and ID should be the same as source.
Step 04: Create App User in Target
User may now create the Application User in Power Platform Admin Center of Tenant XYZ. Follow guide linked in the Problem Statement section if any questions arise around setup.
Limitations
This proof of concept was done between two commercial tenants. Establishing communication between two tenants of different tiers (think Commercial vs. GCC/GCCH) is not supported. The recommendation for this situation would be to create two application registrations, one in each tenant.
Resources
Microsoft identity platform admin consent protocols – Microsoft identity platform | Microsoft Learn
Leave a Reply