question

kumar-0803 avatar image
0 Votes"
kumar-0803 asked Altosioadmin-6197 commented

invalid_client - AADSTS650052: The app needs access to a service (\"api://tenantA/myapi\") that your organization (tenant B) has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions

Hi,

I have two tenants tenant A and tenant B

In TenantA Azure AD I created two Apps:

1) API App (multi tenant) and expose an scope as api://tenantA/myapi

2) Webapp (multi tenant) and add API permission of API App with scope (api://tenantA/myapi)

And an tenant B user trying to login to Webapp of tenant A with authorize endpoint

 https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code id_token& response_mode=form_post&redirect_uri=http://Flocalhost:8080/myapp/aad&client_id={tenantAWebappClientID}&scope=openid+offline_access+profile+api://tenantA/myapi&state=1234&nonce=1234

And we are getting the following error:
invalid_client - AADSTS650052: The app needs access to a service (\"api://tenantA/myapi\") that your organization "xxxxxx-xxxx-xxxx-xxxx-xxxxxx" has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.

Please help on this




azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, I followed the instructions and still get this error.

AADSTS650052: The app needs access to a service ('https://ads.microsoft.com [ads.microsoft.com]') that your organization [removed] has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.

I'm not sure how to add bing ads, I don't find it in the market place either.

0 Votes 0 ·

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered Altosioadmin-6197 commented

Hi @kumar-0803,

This error usually occurs in case of multi-tier applications when knownClientApplications parameter is not set in app manifest. To better understand this please refer to below example scenario:

We have Tenant1 where APP1 (Web API) and App2 (Web or Native) multi-tenant applications are registered. We will be accessing App2 by a user account in Tenant2.

  1. In Tenant1, register a web application named App1, which will be used as Web API. Once the application is registered, navigate to Exposing an API and set App ID URI. E.g. set the app ID URI to https://your_verified_domain/api/

  2. Add required scopes such as read, user_impersonation etc. These scopes should be listed as https://your_verified_domain/api/read and https://your_verified_domain/api/user_impersonation on the Expose An API blade

  3. Register another application in Tenant1 and name it App2. Navigate to API Permissions and add the API permissions which are exposed as scopes in the above steps.

  4. Add Client ID of App1 to knownClientApplications parameter in the Manifest of App2.

  5. Since it is a multi-tenant app, we need to accept the consent prompt to access this application in Tenant2. For that purpose, use below URL after updating the client_id parameter with App ID of App2. https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code

  6. The consent prompt will be presented with the permissions added in step3. After accepting the consent, the service principal for both applications, App1 and App2 will be created in Tenant2.

In this case, you shouldn't get the above error and the login should be successful.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, @amanpreetsingh-msft. So, if once Admin of Tenant2 consents then after that any regular user of Tenant2 can access the Tenant1 App2 right ?

0 Votes 0 ·

@kumar-0803 Yes, that is correct.

0 Votes 0 ·

Hi @amanpreetsingh-msft ,

The solution seems to be working and looks like in step 4, we might need to Add Client ID of App2(Web or Native) to knownClientApplications parameter in the Manifest of App1(Web API).

Please correct me if I am wrong.

Thanks,

0 Votes 0 ·

Hi Aman,
I have a very similar issue. I am going through App roles to be able to consent Application Permissions on Tenant B.
Can you please help me out? I have asked a question here with all the details.
https://docs.microsoft.com/en-us/answers/questions/575269/the-app-needs-access-to-a-service-39apiappid39-tha.html

Thank you in advance.

0 Votes 0 ·

@kumar-0803, If you refer to the step 5, we are using client_id of App 2 in the request. So, this application's knownClientApplications attribute should be updated with the client_id/app_id of App1. If we use client_id of App 1 in the request, we need to add App 2 as knownClientApplications in App 1's manifest. In short, the application whose context we are using in the request should contain other application as knownClientApplications in it's manifest.


0 Votes 0 ·

It is the other way round. As soon as I did it the other way round I achieved the consent.

Ie, In the WebAPI app I added the WebApp Client ID to KnownCientApplications.
I then used the WebApp Client ID in the consent request.
And Voila a consent was achieved.

0 Votes 0 ·

Hi @amanpreetsingh-msft,

I am facing the same issue, but in my scenario I have a chain of app registration.

Suppose I have three app registration App A, App B, App C and those apps have relation like below:
1) In App B given the permission to access App C
2) In App A given the permission to access App B
3) There is no direct relation between App A and App C

It is a chain of permissions. I have referred below article and I have same scenario.

https://joonasw.net/view/aad-api-chains-and-cyclic-dependencies

Please help me on this, Thanks in advance


0 Votes 0 ·

Hi, I followed the instructions and still get this error.

AADSTS650052: The app needs access to a service ('https://ads.microsoft.com [ads.microsoft.com]') that your organization [removed] has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.

I'm not sure how to add bing ads, I don't find it in the market place either.

0 Votes 0 ·