Merge pull request #206204 from omondiatieno/sp-for-multi-tenant-app

v-ccolin · web-flow · commit cb1310ecf154 · 2022-07-28T08:23:09.000+01:00
new article on how to create sp for multi-tenant app using appId
diff --git a/articles/active-directory/manage-apps/create-service-principal-cross-tenant.md b/articles/active-directory/manage-apps/create-service-principal-cross-tenant.md
@@ -0,0 +1,108 @@
+---
+title: 'Create an enterprise application from a multi-tenant application'
+description: Create an enterprise application using the client ID for a multi-tenant application.
+services: active-directory
+author: omondiatieno
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.topic: how-to
+ms.workload: identity
+ms.date: 07/26/2022
+ms.author: jomondi
+ms.reviewer: karavar
+ms.custom: mode-other
+zone_pivot_groups: enterprise-apps-cli
+
+
+#Customer intent: As an administrator of an Azure AD tenant, I want to create an enterprise application using client ID for a multi-tenant application provided by a service provider or independent software vendor.
+---
+
+# Create an enterprise application from a multi-tenant application in Azure Active Directory
+
+In this article, you'll learn how to create an enterprise application in your tenant using the client ID for a multi-tenant application. An enterprise application refers to a service principal within a tenant. The service principal discussed in this article is the local representation, or application instance, of a global application object in a single tenant or directory. 
+
+Before you proceed to add the application using any of these options, check whether the enterprise application is already in your tenant by attempting to sign in to the application. If the sign-in is successful, the enterprise application already exists in your tenant.
+
+If you have verified that the application isn't in your tenant, proceed with any of the following ways to add the enterprise application to your tenant using the appId
+
+## Prerequisites
+
+To add an enterprise application to your Azure AD tenant, you need:
+
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.
+- The client ID of the multi-tenant application.
+
+
+## Create an enterprise application
+
+:::zone pivot="admin-consent-url"
+
+If you've been provided with the admin consent URL, navigate to the URL through a web browser to [grant tenant-wide admin consent](grant-admin-consent.md) to the application. Granting tenant-wide admin consent to the application will add it to your tenant. The tenant-wide admin consent URL has the following format:
+
+```http
+https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=248e869f-0e5c-484d-b5ea1fba9563df41&redirect_uri=https://www.your-app-url.com
+```
+where:
+
+- `{client-id}` is the application's client ID (also known as appId).
+
+:::zone-end
+
+:::zone pivot="msgraph-powershell"
+
+1. Run `connect-MgGraph -Scopes "Application.ReadWrite.All"` and sign in with a Global Admin user account.
+1. Run the following command to create the enterprise application:
+
+   ```powershell
+   New-MgServicePrincipal -AppId fc876dd1-6bcb-4304-b9b6-18ddf1526b62
+   ```
+1. To  delete the enterprise application you created, run the command:
+
+   ```powershell
+   Remove-MgServicePrincipal
+      -ServicePrincipalId <objectID>
+   ```
+:::zone-end
+:::zone pivot="ms-graph"
+
+From the Microsoft Graph explorer window:
+
+1. To create the enterprise application, insert the following query:
+   
+   ```http
+   POST /servicePrincipals.
+   ```
+1. Supply the following request in the **Request body**.
+
+   {
+     "appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
+   }
+1. Grant the Application.ReadWrite.All permission under the **Modify permissions** tab and select **Run query**.
+
+1. To  delete the enterprise application you created, run the query:
+
+    ```http
+    DELETE /servicePrincipals/{objectID}
+    ```	
+:::zone-end
+:::zone pivot="azure-cli"
+1. To create the enterprise application, run the following command:
+   
+   ```azurecli
+   az ad sp create --id fc876dd1-6bcb-4304-b9b6-18ddf1526b62
+   ```
+
+1. To  delete the enterprise application you created, run the command:
+
+   ```azurecli
+   az ad sp delete --id
+   ```
+
+:::zone-end
+
+## Next steps
+
+- [Add RBAC role to the enterprise application](/azure/role-based-access-control/role-assignments-portal)
+- [Assign users to your application](add-application-portal-assign-users.md)
diff --git a/articles/active-directory/manage-apps/toc.yml b/articles/active-directory/manage-apps/toc.yml
@@ -234,6 +234,8 @@
         href: application-sign-in-problem-application-error.md
       - name: Problem signing into a Microsoft app
         href: application-sign-in-problem-first-party-microsoft.md
+    - name: Create enterprise app for multi-tenant app registration
+      href: create-service-principal-cross-tenant.md    
   - name: Reference
     items:
     - name: Deletion and recovery FAQ
diff --git a/articles/zone-pivot-groups.yml b/articles/zone-pivot-groups.yml
@@ -1671,6 +1671,8 @@ groups:
     title: Microsoft Graph
   - id: azure-cli
     title: Azure CLI
+  - id: admin-consent-url
+    title: Admin consent URL
 # Owner: juliakm
 - id: pipelines-version
   title: Pipelines version
