Error AADSTS650052 when trying to grant admin consent to multi-tenant application/API

David Bennett 106 Reputation points
2021-05-14T17:06:41.87+00:00

Hello,

Our setup looks very much like the answer given by @AmanpreetSingh-MSFT here: https://learn.microsoft.com/en-us/answers/questions/28697/invalid-client-aadsts650052-the-app-needs-access-t.html

We've got 2 Azure AD tenants:

  1. Tenant 1 has 2 multi-tenant applications (a client and an API.) The client requires permissions for MS Graph (email and User.Read) and one scope exposed by our API. This all works fine for users in that tenant. Also, I have added the API into the manifest of the client's knownClientApplications.
  2. Tenant 2 is a free tier AAD tenant without a verified domain that holds a small number of users.

When I try logging in with a global admin user from tenant 2, via a link similar to this:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code

I get this error:
invalid_client - AADSTS650052: The app needs access to a service (\"api://tenantA/myapi\") that your organization (tenant B) has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions

I've tried everything I could find in similar questions, but still have the same issue.

Is there something we're missing? I haven't been able to find anything that states this setup won't work for a non-verified user domain, requires a premium tier, etc.

Thanks,

Dave

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,456 questions
Accepted answer
  1. David Bennett 106 Reputation points
    2021-05-16T01:30:01.783+00:00

    @Marco von Hagen Thanks, you touch on 2 different issues that seem to sort out my problem.

    1) An admin consent request needs to be made for the API first. The example I was following had this backwards. (Although I believe a request for the Client app worked fine from a user within the app's tenant.)
    2) I believe the manifest for the API should include the known client setting for the Client app, and not the other way around. (I haven't tested this just yet, as I simply retried the admin_consent request to the ClientApp after a successful request for the API, and that did the trick.)

    Thanks again,

    Dave

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest