Context
We are using multiple directories (TENANT_A, TENANT_B) on Azure. The goal is to create a service principal (Application), _SP_APP, inside TENANT_A which is granted access into TENANT_B. We want to use this service principal in script to manage both directory easily. One of the script is to make new Application Registration inside TENANT_B AND to grant ADMIN CONSENT for these applications.
What is done
_SP_APP
- Global Admin on both Directory
- Granted Access to TENANT_B (Visible in Enterprise Application)
- Api Permissions were granted Admin Consent (TENANT_A and TENANT_B)
- Microsoft Graph (Delegated and Application Full Access)
- Azure Active Directory Graph (Delegated and Application Full Access)
Steps
Working correctly
# Login with service principal of multiple tenants application
az login --service-principal -u _SP_APP -p <PASSWORD> --tenant TENANT_B
# Creating application and fetching ID
_OBJECT_ID=`az ad app create ...`
Not Working
# Granting Admin Consent
az ad app permission admin-consent --id $_OBJECT_ID
# ERROR
Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"AADSTS50058: A silent sign-in request was sent but no user is signed in.\r\nTrace ID: 9c9bd004-a97a-4543-8ff0-e314de77a700\r\nCorrelation ID: 44c79409-2f3e-43de-a84b-1e5a42e382e7\r\nTimestamp: 2019-10-28 15:54:20Z" ...
What is strange is that when we az login
with a Global Admin User and execute the script, it works fine.
Question
Did we miss something to allow this service principal to be able to grant admin-consent or is it something only "user" can do? (I did not find any response in microsoft azure documentation).
Thank you