how to add permissions across active directory? (problems with setting up multi-tenant app in azure)

1
votes

Now I have one App in Azure active directory1, and a web api in Azure active directory2. My aim is to allow users in AAD1 and AAD2 can both login the App.

So far I've enabled App and Api as multi-tenant, added each other in the manifest as known client application.

The things I've not finished yet: add one as a custom domain into the other, add permissions btw api and app, and I met some problems on these two.

Right now my error msg is:

An error has occurred while authorizing access via Authorization Server: unauthorized_client AADSTS65005: Invalid > resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration.

When I tried to give the access in the api, in the required permission list, I didn't see the web app (which is in the other directory). How should I do with it?

If I move both App and Api under the same directory, is there anyway that allows users from the other directory to login?

2
azureoauth-2.0azure-active-directorymulti-tenant

2 Answers

1
votes

In order for you to see the Web API in Tenant 1 as an option for "Required Permission List", you need to provision the service principal for the Web API into Tenant 1.

You can do this a number of ways, but the easiest way may be to simply sign into the Web API by generating a Login URL. Once you login, using a user from Tenant 1, the service principal will be provisioned in the tenant, and then be an option available to select.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=<appid>&response_type=code&redirect_uri=<replyurl>&resource=<resource>&prompt=consent

The other option might be to use AAD PowerShell to create a service principal based off your Web API App Id:

New-​Azure​AD​Service​Principal

New-AzureADServicePrincipal -AccountEnabled $true -AppId $MyApp.AppId -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}

Once you have successfully put the service principal on your required permissions, the error message you described above should go away.

1
votes

In addition to Shawn Tabrizi's answer, you can also specify your API as a known client application of the App.

So in your App's manifest:

"knownClientApplications": [
  "your-api-client-id"
]

Then if you try to authenticate to the App, it can do consent for the API as well at the same time.