I've made an app registration in our Azure AD (AAD) that's enabled for multi-tenancy. This registration is successful registered in another (client) AAD tenant (admin consent has been given).
I'm using .Net Core 2.1 and the MSAL 2.0 library for authentication.
I need to access the client AAD with Microsoft Graph from our management app to read the client AAD Groups when I'm logged in with an user from the original AAD (where the app registration was created).
I've followed this article https://docs.microsoft.com/en-us/graph/auth-v2-service and requested a token from the client AAD (Step 4). When I use this token to access the client AAD groups I get an access denied error.
When I create an app registration without multi-tenancy enabled within the client tenant AAD it works just fine. Isn't it possible what I want to achieve? I thought that I'm not the only one who want to access a client AAD from a management app, but I can't find any other articles describing this problem.