Azure Admin Consent in multi tenant not working

0
votes

I've some problems with the admin consent in a multi tenant environment. So here is my structur.

  • Tenant 1
  • Tenant 2

I've got registered one ActiveDirectory Aapp in Tenant 1, called "App1". In this App, I set i.e. permissions for Microsoft Graph. Then I granted this permission.

Now I want to have also this App1 in my Tenant 2, so I do an AdminConsent with: https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1

It worked fine. A few minutes later I saw App1 in Tenant2 and I was able i.e. to give access right to App1 for Users of Tenant2. No problem.

So then I had to give my App1 a few more permissions. So I clicked "App registrations" in Tenant1 and gave more permissions for Microsoft Graph. Then I clicked to "Enterprise Applications" in Tenant1, selected my App1 -> Permission and then "Grant admin consent for tenant1". A new browser was opened and I was able to do the admin consent for App1 in Tenant1.

Then I thought that I have to do the same in Tenant2, because it works the first time. So in Tenant2 I also navigated to ActiveDirectory -> Enterprise Applications -> selected my App1 -> Permissions Here I saw the first permissions which I granted. Then I clicked to "Grant admin consent for Tenant2". A new browser was opened, but now it failed with folowwing error: https://myRedirectURL/?error=access_denied&error_description=AADSTS65005%3a+The+application+%clientID_of_App1%27+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.%0d%0aTrace+ID%TraceID%0d%0aCorrelation+ID%CorrelationIDaTimestampTimestamp&admin_consent=True&tenant=TenantID_of_Tenant2

Better to read: Error:

"AADSTS65005. The application ID_App1 asked for permissions to access a resource that has been removed or is no longer available. Contatct the app vendor."

I get the same error when I invoke the URL https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1

But I didn't do anything...so wheres the problem?

1
azureazure-active-directorymulti-tenant
Have you tried: https://login.microsoftonline.com/tenant-id/oauth2/authorize?prompt=admin_consent? You'll need to add the other needed parameters of course.juunas
With which tenant-id should I test it? From Tenant 1 or 2? And I test the url with parameters: redirect_url, none, resource, response_type=code ...nothing workedbater
And for me it is unclear how the URL have to look like....the Microsoft docu isn't helping herebater
Sorry for the delay, here is an example: https://login.microsoftonline.com/your-tenant-id/oauth2/authorize?client_id=your-app-client-id&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2F&prompt=admin_consent. Be sure to replace the client id, tenant id and redirect URI with your values and note that the redirect URI needs to be URL-encoded.juunas
No problem. What do you mean with "URL-Encoded". Does my Redirect URI have to look like "https%3A%2F..." or "https://..." ? And where I does exactly find my redirect URL? Or is it the "reply URL" ?bater

1 Answers

1
votes

For your Redirect URI error you can try these steps:

  1. Set the resource in your request to Azure AD.
  2. Ensure that the client Id of the WebApp is configured in the WebApi's "knowClientApplications" array property in the manifest file
  3. Ensure that all permissions are correct (APIs are added as delegated permissions to the client).
  4. Ensure that all services (web app & apis) are multi tenant
  5. Update manifest with:
"availableToOtherTenants": true,
  "knownClientApplications": [
    "{client app application id}"
  ],

See also the troubleshooting steps in these similar threads:

Azure AD error when fetching access token & login

The client application has requested access to resource 'https://outlook.office365.com'. This request has failed