A likely “testing” site (probably a Microsoft front or some contractor firm behind which the public visibility is hidden) can be found at http://www.workaad.com/Miscellaneous/AdminConsentRequest.aspx. Whatever it is, its well done – and very very up-to-date.
The first workflow enables us, as administrator of the custom domain version of our Azure AD tenant, to consent to granting the webapp at this site access privileges. Lets guess that the app that publishes such a URI, bearing its unique “client ID” has to already have a working registration as an application (in some other Azure AD tenant), and is seeking the status of having a ServicePrincipal (ServiceProvider – SP in SAML speak…) record added to the Azure AD tenant associated with the IDP to be determined from the websso and consent process to be performed by the administrator-grade user :
Back on the active webapp site (the new SP … in the IDP=netmagic.onmicrosoft.com with the noted tenantID value), we see the information its provisioning process is given ..to create IDP-pointing records:
Note how the SP webapp, during relationship provisioning, gets a summary of its SP record as now recorded in the user’s IDP. This data probably comes from the original application record held about this webapp site in its primary azure AD tenant, now shared with the secondary “new relationship” IDP.
I find it a little disconcerting that this “partner” now knows about other verified domains of the IDP of the user (netmagic.onmicrosoft.com). We see from the wire trace that the protocol does NOT deliver such information:
Evidently, given the tenantID of the IDP the webapp can lookup its own application record in its primary IDP – to learn about the new IDP from the new IDP-pointing record. We also see an email sent to the user granting the consent
In the azure console for the Azure AD of the new IDP bearing the new SP-pointing record we now see
Note how locked up is the console for this “type” of application registration. By definition, I suppose, it’s a multi-tenant app – and it exposes its API.