can someone explain the azure admin consent flow to me as either its not documented well, I cant read and comprehend or something else.
I have a web app that employs a web api in a home tenant the web api is a permission on the web app the web api has the web app client id as a knownclientapplication
if i login as a home tenant admin on the web app demanding scope of the web api, everything works as expected: i am presented with an admin consent dialog INCLUDING the web api i consent and all is hunky dory
if i login as a client tenant on the web app demanding scope of the web api - using the '/common' tenant, things arent so good: i am presented with an admin consent dialog EXCLUDING the web api when i consent, the enrollment ends in an AADSTS650051 stating I dont have access to a resource
this DOES make sense to me as the web api does not have a service principal in the customer tenant and therefore cannot access it, but when i read the documentation is suggests it should work this way. the terms start to blur for me as they are a bit ambiguous which is where I am not sure what I am supposed to do. source
i can make it work if i sign into the web api first as it will create the service prinicpal then i can login into the web app where it now has access to the service prinicpal
but the documentation doesnt really explain this in the multi tier single tenant but suggests this in the multi tier multi tenant
Ive read it so many times all the words sound like noises now....
anybody ideas/confirmations/tips?
