Revision history [back]

In order to grant permission for accessing resources in another tenant using AuthorizeForScopes, you need to follow these steps:

1. Add the AzureAd package to your project.

2. Configure the Authentication settings in your Startup.cs file to include the TenantId of the other tenant. For example:

services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options));

options.CallbackPath = "/signin-oidc";
options.TenantId = "ANOTHER_TENANT_ID"; // add the TenantId of the other tenant
options.Instance = "https://login.microsoftonline.com/";
options.ClientId = Configuration["AzureAd:ClientId"];
options.ClientSecret = Configuration["AzureAd:ClientSecret"];

1. Use the AuthorizeForScopes attribute in your Controllers or Actions to grant access to specific scopes. For example:

[AuthorizeForScopes(Scopes = new[] { "https://ANOTHER_TENANT_NAME.onmicrosoft.com/scope1", "https://ANOTHER_TENANT_NAME.onmicrosoft.com/scope2" })]
public async Task<IActionResult> MyAction()
{
    // code goes here
}

1. Finally, make sure that the App Registration in the other tenant has been configured to expose the required scopes. You can do this by navigating to the Expose an API section in the App Registration portal and adding the required scopes.