Developer Accounts Using Azure Active Directory RRS feed

  • Question

  • Hi from the documentation titled

    How to authorize developer accounts using Azure
    Active Directory in Azure API Management

    I have followed the directions and set the application and delegated user permissions as stated.

    I've tried working with an alternative active directory Tenant. When the Admin User for alternative Tenant logs in they are granted access and appear in the list of users within the API manager. They get the screen that asks that they grant access to read directory data and Sign in and read user profile (This is different from the current documentation which begins with enable sign in and read user data)

    If a normal user from the same alternative Tenant tries to login they get the Active Directory Login screen but then an error appears and says.

    " This application requires application permissions to another application."

    I've tracked this back to the Application Permission "Read Directory Data". This permission seems to work within the API Manager since I can add Groups from the Alternative Tenant.

    If I remove the permission I can't read the Group data but the same permission seems to block non Admin Users from sign-on. Its my understanding that once the Admin User Grants permission for the application to read the data it should allow the non Admin Users to Sign-on.

    Thursday, December 22, 2016 11:43 PM

All replies

  • Hello,

    Thank you for contacting Microsoft forums. We are pleased to answer your query.

    I have involved the respected backend team for proper solution and will get back to you, as soon as we have any updates.

    Also, can you please confirm us, what is your suffix of UPN you are using?


    Friday, December 23, 2016 12:36 PM
  • UPN - User Principal Name?
    Friday, December 23, 2016 2:59 PM
  • Hello,

    Yes. Confirm only the suffix of UPN/Domain name.

    Hope this helps. 


    Friday, December 23, 2016 6:36 PM
  • Hi,

    Can you share with me the settings in the Configure page of your Application in Active Directory. You can send it to me at mijiang at Microsoft dotcom


    Wednesday, December 28, 2016 7:27 PM
  • Hi Mijiang. I have emailed you the details.

    I have tried a couple of things that I would like to share.

    I uploaded the users via B2B to see if this made any difference and it didn't.

    I have found the link between external users in the Azure Active Directory and on API Manager confusing.

    (API Manager)

    Once an External Tenant is added to the security/identities section then the application wants to query External Tenant when the user log's on. Also it can only see those Groups that belong to the external Tenant.

    (Azure Management Portal)

    If I add an external user to my Azure Active Directory (either directly or via B2B) its completely ignored by the API Manager. The API Manager application is registered under the same Azure Active Directory.

    So if I add external users to my own Azure Active Directory I can't use those Accounts with the API Manager. If the External Tenant is not registered under the API Manager then it won't authenticate the user.

    What's confusing about this is that if the user is a Global Admin on the external active directory then they can logon to the Developer Portal without any issues.

    Thursday, December 29, 2016 4:02 PM
  • I have emailed you the details you have asked for.
    Thursday, December 29, 2016 4:03 PM
  • Just some extra thought's on this.

    a.) If I want to manage external users (via groups) in my own Azure Active Directory then I can't use this approach with the API Manager.

    b.) At the moment with multitenancy I can't get a user to logon who just has a standard 'user' account within the external active directory. I've read some other articles on this and it say's that while the admin user makes it "possible" for a user to use another tenants application. The application requires that the user also gives the same permission's?


    So if I limit the permission to not have read access then I need to manage the users via Groups inside the API Manager because I won't be able to see the Group's inside the external Azure Active Directory. In fact I won't be manage any users by Group's from active directory even those in my own Azure Active Directory.

    Did I just answer my own question :)

    Thursday, December 29, 2016 4:24 PM