Hint on how to use a different tenant when linking an Azure subscription to GHEC

[Shegox]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

Connecting an Azure subscription to your enterprise

What part(s) of the article would you like to see updated?

It's kinda special thing, but took me a few weeks of internal processes to figure out and I think a hint might be worth adding there for others.

When adding an Azure subscription, you first need to grant access to your AzureAD account with signing in to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=a3c04df9-984f-464e-8f9e-0c4a7e0c500d..... After giving access you can select the tenant and subscription to link. If for whatever reason the common tenant doesn't allow the granting of this permissions (e.g. due to policies), using a different tenant can solve this.
In my case I needed to manually change the common part in the URL to my desired tenant id to switch to the correct tenant and be able to authorize the GitHub Permission Validator as outlined in the tenant parameter documentation on "Microsoft identity platform and OAuth 2.0 authorization code flow".

I'm not sure how common this problem is, but maybe putting one or two sentences in the documentation can help people after me to not run into the problem.
Maybe something like:

If your primary/default AzureAD tenant doesn't allow you to grant the required permissions, you might need to switch the common parameter at the start of authorization URL to the tenant id you want to use.

Additional information

No response

---

edited by maintainer

Refer to this issue comment for a writer's review on how to fix this issue.

[ramyaparimi]

@Shegox
Thanks so much for opening an issue! I'll triage this for the team to take a look 👀

[lecoursen]

Thanks @Shegox! I am checking with the team whether we want to recommend this workaround in the docs, or whether there might be something better we can suggest. I'll let you know when they get back to me!

[lecoursen]

Thanks for your patience over the holidays @Shegox! We don't want to document this specific workaround, but we can help other folks in this situation by providing more details about how the connection works. Here's an example of what could be added:

At the time of connection, GitHub’s Subscription Permission Validation will request read only access to display the list of available subscriptions. To select an Azure subscription, you must have owner permissions to the subscription. If the default tenant does not have the right permissions, you may need to specify a different tenant ID. Learn more about Microsoft’s authentication flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code.

You or anyone else is welcome to open a PR doing that!