How to grant tenant-wide application permission of an enterprise app?

0
votes

i'm trying since 3 days to grant admin consent of application permissions in an azure b2c tenant for an enterprise application.

The App is registered in my main-tenant with all its delegated and application type permissions, which are granted tenant-wide. The main-tenant also has an entry in its enterprise applications where i can see the same permissions. list of permissions

I dont know how to add the app in my side-tenant without publishing it to the MS store. So i simply login my app with a side-tenant-account. (I dont know if its the correct way?)

After the login i have an entry in my enterprise applications of my side-tenant, but without the permissions i need? empty list of permissions

Now here is my question: How can i grant the permissions i need for all users in my side-tenant?

I already tried this Url: https://login.microsoftonline.com/{tenantID}/adminconsent?client_id={clientID}&scope=/.default&redirect_uri=xxx

For my main-tenant it works as expected, maybe because it has the application registration, which is missing in my side-tenant.

When i try it with my side-tenant, i'm getting this error:

Acess_denied: AADSTS650054 The application XXXX asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
1
azure-active-directorymulti-tenantmsal

1 Answers

1
votes

What is likely happening here is that you have configured your app to request access to at least one API which has no representation in "side-tenant" (the API called "LegacyAPI", for example). That's why the error message mentions the "resource that has been removed or is no longer available".

For consent to succeed, all of the resource services (i.e. the APIs) the app is requesting access to must exist in the tenant where consent is being granted. (A service principal object needs to exist.)

You have two options here:

  • Grant consent to the missing resource services in "side-tenant" (e.g. via the admin consent URL)
  • Manually create a service principal for the missing resource service in "side-tenant" (e.g. New-AzureADServicePrincipal -AppId "{resource-app-id}")

Not related to your issue, but related to the admin consent URL:

For what you're trying to do, there are three ways to construct the admin consent URL, one using the older v1 endpoint, and two using the newer (recommended) v2 endpoint. In your admin consent URL, you are using the v1 endpoint, but you are including the scope parameter (which is only used in the v2 endpoint).

  • v2 (recommended)
    • For all permissions configured in the app registration, revoke any other permissions that were granted tenant-wide (static): 
      https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent
     ?client_id={client-id}
     &scope=.default
     &redirect_uri={redirect-url}
    • For the delegated permission User.Read for Microsoft Graph, don't revoke other permissions which were already granted tenant-wide (dynamic, incremental): 
      https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent
     ?client_id={client-id}
     &scope=https://graph.microsoft.com/User.Read
     &redirect_uri={redirect-url}
  • v1 (supported, not recommended)
    • For all permissions configured in the app registration, revoke any other permissions that were granted tenant-wide (static): 
      https://login.microsoftonline.com/{tenant-id}/adminconsent
     ?client_id={client-id}
     &redirect_uri={redirect-url}

Reference: https://docs.microsoft.com/azure/active-directory/develop/v2-admin-consent