I have the following setup:
- 2 tenants,
T-1andT-2 - A multi-tenant app
Aregistered inT-1.- It requires admin consent for the Graph API
- In the manifest, I have
"availableToOtherTenants": trueand"signInAudience": "AzureADandPersonalMicrosoftAccount"
- I have an admin user
U-2forT-2. U-2is invited toT-1as a guest and accepts.U-2attempts to provide admin consent for the app inT-1(A) via the urlhttps://login.microsoftonline.com/${T-1 guid}/adminconsent?${params}
At this point, I get redirected to an error page with the following info:
A-1 needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
- Request Id: bd83872a-aa37-440f-8a2e-82185f4f4300
- Correlation Id: 09219117-2532-4705-91f4-3447647feed0
- Timestamp: 2019-03-05T18:35:05Z
- Message: AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.
FYI I had Advanced diagnostics enabled.
Any clues on what I could try next?
{params}? Are you signing into the Admin Consent with a Global Admin account from the tenant you are asking for consent from? – Marc LaFleurT-2- this is not the tenant where the app was registered (that isT-1). For{params}, I'm using:client_id={my_client_id}&redirect_uri={my_callback_uri}&state={somestring}. – chrisAis configured with the Application Permissions User.Read.All (under Graph API), which requires admin consent – chris