question

BenjaminLiSauerwine-6547 avatar image
0 Votes"
BenjaminLiSauerwine-6547 asked ·

AADSTS500011: How to associate a resource principal with an application client ID

I am setting up an enterprise application where third-party applications should be able to authenticate into it using our institutional SSO. The enterprise application has a GUID Client ID provided (e.g., 12345678-1234-1234-1234-1234567890ab) and I am indeed able to log into the application both through the public URL (e.g., https://myapp.myinstitution.edu) and using applications under my control that are aware of the Client ID.

The issue comes when I try to log into it with a third-party application like PowerBI. PowerBI, being outside my control, does not know the Client ID and attempts to log in using the public URL as the resource principal (https://myapp.myinstitution.edu).

My assumption is that somewhere I need to inform Azure Active Directory that the resource principal known to third-party apps (e.g., https://myapp.myinstitution.edu) is one and the same as my client ID (e.g., 12345678-1234-1234-1234-1234567890ab). My belief was that the correct way to do this would be to configure a Publisher Domain under the Branding section under App Registrations, but this did not resolve the issue.

How do I inform Active Directory that certain resource principals are synonymous with my application's Client ID?

azure-active-directoryazure-ad-app-registrationazure-ad-app-developmentazure-ad-app-management
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Which guide are you following for this? The error you referenced usually appears if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant, or the App ID and App Secret are not updated in the API management portal.

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-howto-aad.md

0 Votes 0 ·

Unfortunately, I don't know that there is a guide or instructions for what I'm trying to do. I believe the reason for the error is that third-party applications like PowerBI do not have any way to know what my application's GUID Client ID is. Instead, they attempt to authenticate with my application using the endpoint they know as the resource principal, like https://myapp.myinstitution.edu. When their OAuth2 request hits Active Directory, then, Active Directory is correctly reporting error AADSTS500011 because the resource principal requested doesn't exist and certainly is not tied to any application that it knows about.

When the client application is under my control or when the user logs into my application directly, I can tell it to send its OAuth2 request using my GUID Client ID and everything works just fine. Specifically, then, I need to know how to connect a resource principal like https://myapp.myinstitution.edu to my GUID client ID in Active Directory.

0 Votes 0 ·

0 Answers