My application is registered in tenant A
and requires the Microsoft Graph
permission Invite guest users to the organization
. The application is an API app without a GUI.
To give the application Graph
access in Tenant A
I do the following:
1. go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=
<My application ID>&prompt=admin_consent
2. Login with admin credentials for tenant A
Done - my Service Principal
in tenant A
now has Invite guest users to the organization
permission
So far so good. Now I want to give the same application access to invite guest users in tenant B
. How do I do that?
I've tried the same flow as before:
1. go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=
<My application ID>&prompt=admin_consent
2. Login with admin credentials for tenant B
This results in the following error message:
AADSTS50020: User account '[email protected]' from identity provider 'yyy.com' does not exist in tenant 'Tenant A' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
It seems that this action tries to give the application the required permissions in Tenant A
even though I login with admin credentials from Tenant B
.
How do I give the application the required permissions in Tenant B
? Is it possible to use the admin consent flow with a Service Principal ID
from Tenant B
instead of the global Application ID
for my application?