Azure Multi tenant application not visible to certain tenants

1
votes

We have a multi tenant azure ad application that is not visible in certain other tenants. Is there a tenant level setting to allow third party applications?

We run the following command from the azure cli to see if hte application is visible

az ad app show --id appID

We get the following error:

(I have xxx out the application id)

Resource 'xxxxx' does not exist or one of its queried reference-property objects are not present. Traceback (most recent call last): File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\main.py", line 36, in main cmd_result = APPLICATION.execute(args) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\application.py", line 216, in execute result = expanded_arg.func(params) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 381, in call return self.handler(*args, **kwargs) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 640, in _execute_command raise client_exception File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 628, in _execute_command exception_handler(ex) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\util.py", line 49, in empty_on_404 raise ex File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\core\commands__init__.py", line 612, in _execute_command result = op(client, **kwargs) if client else op(**kwargs) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\cli\command_modules\role\custom.py", line 455, in show_application return client.get(object_id) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\azure\graphrbac\operations\applications_operations.py", line 272, in get raise models.GraphErrorException(self._deserialize, response) azure.graphrbac.models.graph_error.GraphErrorException: Resource 'xxxx' does not exist or one of its queried reference-property objects are not present.

1
azureazure-active-directory

1 Answers

0
votes

Users in other tenant needs to consent the permissions to the multi-tenant App. Then the Applicaition will occurs in that tenant as a sp. So you may forget to do this step:

When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue.

After finishing this, you can use az ad sp list to check if the sp is in that tenant.

Also, you need to ensure your multi-tenant app is configured well before you starting to login it. For more details about How to sign in any AAD user using the multi-tenant app, please refer to this document.