question

DavidBennett-5876 avatar image
0 Votes"
DavidBennett-5876 asked M2vH commented

Error AADSTS650052 when trying to grant admin consent to multi-tenant application/API

Hello,

Our setup looks very much like the answer given by @amanpreetsingh-msft here: https://docs.microsoft.com/en-us/answers/questions/28697/invalid-client-aadsts650052-the-app-needs-access-t.html

We've got 2 Azure AD tenants:
1. Tenant 1 has 2 multi-tenant applications (a client and an API.) The client requires permissions for MS Graph (email and User.Read) and one scope exposed by our API. This all works fine for users in that tenant. Also, I have added the API into the manifest of the client's knownClientApplications.
2. Tenant 2 is a free tier AAD tenant without a verified domain that holds a small number of users.

When I try logging in with a global admin user from tenant 2, via a link similar to this:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code

I get this error:
invalid_client - AADSTS650052: The app needs access to a service (\"api://tenantA/myapi\") that your organization (tenant B) has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions

I've tried everything I could find in similar questions, but still have the same issue.

Is there something we're missing? I haven't been able to find anything that states this setup won't work for a non-verified user domain, requires a premium tier, etc.

Thanks,

Dave









azure-ad-app-consent
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The Microsoft docs mention, Not to use common as the tenant parameter. Instead use organisations or better the tenant GUiD.

Find the example here

The consent link should look like so

https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&scope=https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Mail.Send&redirect_uri=http://localhost/myapp/permissions&state=12345




0 Votes 0 ·

When using that endpoint, with tenant set to 'organizations', or the GUID for tenant 2 (the user's tenant), I still get the 650052.
When using the GUID for the App/API's tenant, I get this:

Selected user account does not exist in tenant 'myAPItenant' and cannot access the application 'myApp' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

My goal here is to provide admin consent so that all future users of tenant 2 can access the app/API without a consent dialog - We don't want each user to have to request permission from the admin.

Thanks,

Dave

1 Vote 1 ·
M2vH avatar image M2vH DavidBennett-5876 ·

I unerstand your intent.
May I ask, why the API is a known client in the manifest of the app? Shouldn't it be the other way around?
What if you don't add the api to the manifest. Will it still work for users from tenant 1?

0 Votes 0 ·
M2vH avatar image M2vH DavidBennett-5876 ·

Here is a link to a repo with an example application. https://github.com/mspnp/multitenant-saas-guidance/blob/master/get-started.md

It is not identically your scenario, as the API is not extern, instead registered in same tenant. Nevertheless, in this example, the WebApp ID is a known client in the manifest of the API.

In your case, there is a known client in the multi tenant app, which is the api. I guess, this is what will cause the error.

0 Votes 0 ·

1 Answer

DavidBennett-5876 avatar image
1 Vote"
DavidBennett-5876 answered M2vH commented

@M2vH Thanks, you touch on 2 different issues that seem to sort out my problem.

1) An admin consent request needs to be made for the API first. The example I was following had this backwards. (Although I believe a request for the Client app worked fine from a user within the app's tenant.)
2) I believe the manifest for the API should include the known client setting for the Client app, and not the other way around. (I haven't tested this just yet, as I simply retried the admin_consent request to the ClientApp after a successful request for the API, and that did the trick.)

Thanks again,

Dave

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That's good to hear.
If we have two multi-tenant apps, we need consent for each of it.

But if it's necessary for admin of tenant 2 to do all this in the right order, I'm sure if there is room to improve the structure.

As a developer in tenant-2 I could try to take my API consent and talk to the API directly.

Maybe the API doesn't need to be multi-tenant. And the scope of API is application scope. Then client can call Graph as the delegate of user and then call API as an application with your API scope.

Now we could control access at scope level on the API.

Just my quick first thought, maybe I'm totally wrong.

It's working, and that's what the question was all about. 😂

Marco

0 Votes 0 ·