Share via

Authenticate an SPA application / users from one tenant to another ( Multitenant )

Ashwin Sidharthan 20 Reputation points
2025-05-01T11:52:20.32+00:00

Hey ,

I am bit lost with the whole process of getting the cross tenant/multi tenant scenario to get working. Basically my scenario is that I have an SPA on a B2C tenant ( Tenant A ) and I need to call an API on another tenant B2B ( Tenant B ). Is this achievable?

Below are the steps that I have done

  1. MS Admin center in Tenant B - create a multitenant org and add the Tenant ID of Tenant A
  2. MS Admin center in Tenant A - join a multitenant org and add Tenant ID of Tenant B

With the above I am able to share users across the tenants

The part which is unclear is , how does my SPA app on Tenant A authenticate to the exposed scopes to call the Web API on the Tenant B. I am unable to grant API access across the tenant. I have tried to add the client ID of the SPA app to the Web API app, but gives me errors. Is there a proper documentation around this?

Thanks,
Ash

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,421 questions
0 comments
Accepted answer
  1. Kancharla Saiteja 3,945 Reputation points Microsoft External Staff
    2025-05-02T22:06:15.9533333+00:00

    Hi @Ashwin Sidharthan,

    Based on your query, here is my understanding: you would like to add tenant API exposed API in tenant B application.

    Tenant A: Create an app registration as multi-tenant application in tenant A (eg: TenantAapp) and expose it as an API (api://app-id/app.permissiom). You can use the following document: Configure an application to expose a web API.

    Tenant B:

    1. Try to consent that TenantAapp multi-tenant application using a user of Tenant B, so that the application gets added to Tenant B as a service principal.
    2. Once the application TenantAAPI gets added to Tenant B, you should be able to see its entry under the Enterprise Registration section.
    3. Create another App Registration in Tenant B (eg: TenantBApp).
    4. In the API Permissions section of TenantBApp, you can add a permission: Add a Permission --> Select an API --> APIs my Organization Uses --> here search for the api of tenant A i.e TenantAapp
    5. Once you find the TenantAapp, add its exposed permission which is app.read as it would be listed there.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.