I have created an application in Azure AD and flipped the multi-tenant switch to make the application a multi-tenant one.
Then I followed the steps listed in the article How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern to sign-in users from other Azure AD tenants to my multi-tenant application.
The code looks like as follows
string aadInstance = "https://login.microsoftonline.com/{0}";
string tenant = "common";
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext context = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
AuthenticationResult result = await context.AcquireTokenAsync("https://XXXX.onmicrosoft.com/TodoListServiceMT", AppIdOfAppInDifferentTenant, new Uri("https://localhost:44399/"), new PlatformParameters(PromptBehavior.Always));
But during authentication, I keep running into the following error..
AADSTS65005: The client application has requested access to resource 'https://XXXX.onmicrosoft.com/TodoListServiceMT'. This request has failed because the client has not specified this resource in its requiredResourceAccess list
The fix for the error requires me to add permissions for my multi-tenant app in my client application in the other Azure AD tenant.
But I am unable to locate my multi-tenant application in the Configure Permissions screen of my client application in the other Azure AD tenant. All I see in that list is Azure AD Graph, ARM and Azure Active Directory.
Has anyone successfully tried this approach before? What needs to be done to expose my multi-tenant application in other Azure AD tenants?
A basic outline of Tenants, apps and resources at work here..
Tenant A
-> Multi-tenant App, resource id(App Id URI)-"https://XXXX.onmicrosoft.com/TodoListServiceMT"
Tenant B
-> Client App (AppIdOfAppInDifferentTenant)
For authentication, I am using an admin user in Tenant B
I tried adding the AppIdOfAppInDifferentTenant to Multi-tenant app's app manifest's knownclientapplications section, but one can only add app Ids of apps in the same tenant.
Solution
I still do not know why my code isn't able to generate a Consent prompt to successfully register the SP, but I attempted the same using the newly released Azure Active Directory V2 PowerShell Module and it worked for me.
The order of commands to create a SP of a multi-tenant application in a different tenant is as follows..
Connect-AzureAD -TenantId "TenantId as Guid"
New-AzureADServicePrincipal -AppId "Client/Application Id of the multi tenant application"
Once the command completes successfully, the multi-tenant app will start to show up in the "Required Permissions" screen of the client app