授予服务主体访问其他租户中的应用程序的权限

我在一个租户(OneTenant)中拥有一个Azure AD服务主体，我想授予对另一个租户(OtherTenant)中的应用程序的访问权限.

I have an Azure AD service principal in one tenant (OneTenant) that I would like to give access to an application in another tenant (OtherTenant).

租户OneTenant中的服务主体是Azure Logic应用程序的托管服务身份.因此，我真正想要的是从我的逻辑应用程序调用API.此API受OtherTenant中的Azure AD应用程序保护.

The service principal in tenant OneTenant is a managed service identity for an Azure Logic App. So what I actually want is to call an API from my Logic App. This API is protected by an Azure AD application in OtherTenant.

OtherTenant中的应用程序定义了许多角色，并且OneTenant中的服务主体应具有这些角色之一，以便可以调用API.

The application in OtherTenant defines a number of roles and the service principal in OneTenant should have one of these roles so it can call the API.

我尝试了以下操作:

• 将OtherTenant中的应用设置为多租户

• 运行以下PS命令以尝试将SP添加到应用程序中的角色:

• set the app in OtherTenant to multi-tenant

• ran the following PS command to attempt to add the SP to a role in the app:

New-AzureADServiceAppRoleAssignment `
  -ObjectId <object-id-of-sp-in-one-tenant> `
  -Id <role-id> `
  -PrincipalId <object-id-of-sp-in-one-tenant> `
  -ResourceId <app-id-in-other-tenant>

(均已登录OneTenant和OtherTenant)

这会产生一个错误，指出找不到app-id-in-other-tenant或object-id-of-sp-in-one-tenant，这取决于我登录的位置.

This gives an error stating that either app-id-in-other-tenant or object-id-of-sp-in-one-tenant can not be found, depending on where I am signed in.

我还尝试根据OtherTenant中的app-id在OneTenant中创建服务主体，在这种情况下，我会收到一条错误消息:Authenticating principal does not have permission to instantiate multi-tenantapplications and there is not matching Applicationin the request tenant.

I also tried creating a Service Principal in OneTenant based on the app-id from OtherTenant In that case I get an error message: Authenticating principal does not have permission to instantiate multi-tenantapplications and there is not matching Applicationin the request tenant.