Hello,
Our setup looks very much like the answer given by @AmanpreetSingh-MSFT here: https://learn.microsoft.com/en-us/answers/questions/28697/invalid-client-aadsts650052-the-app-needs-access-t.html
We've got 2 Azure AD tenants:
- Tenant 1 has 2 multi-tenant applications (a client and an API.) The client requires permissions for MS Graph (email and User.Read) and one scope exposed by our API. This all works fine for users in that tenant. Also, I have added the API into the manifest of the client's knownClientApplications.
- Tenant 2 is a free tier AAD tenant without a verified domain that holds a small number of users.
When I try logging in with a global admin user from tenant 2, via a link similar to this:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code
I get this error:
invalid_client - AADSTS650052: The app needs access to a service (\"api://tenantA/myapi\") that your organization (tenant B) has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions
I've tried everything I could find in similar questions, but still have the same issue.
Is there something we're missing? I haven't been able to find anything that states this setup won't work for a non-verified user domain, requires a premium tier, etc.
Thanks,
Dave