question

Altosioadmin-6197 avatar image
0 Votes"
Altosioadmin-6197 asked MarileeTurscak-MSFT answered

The app needs access to a service ('api://AppId') that your organization 'xxxx' has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions

Hi,

I have 2 tenants, A and B. In tenant A, I created a Multiple Tenant Azure App called App1, and went to App Roles and created a new App Role with Group.ReadWrite.All scope as shown in this image.
137193-image.png


I then went to the API permissions and added this API like shown in this image:

137194-image.png


137195-image.png

Now, I want to call this URL:
TestApp https://login.microsoftonline.com/common/adminconsent?client_id={App1Id}&state=12345%20
from tenant B and that should create an Entreprise Application in tenant B with the GroupReadWrite All Application permission.

But it is throwing that error in the title. What am I missing?

I have a working example that I found on the Internet that does exactly what I want to achieve.
https://login.microsoftonline.com/common/adminconsent?client_id=e15e924b-85af-4797-9ec2-f785401e91f1&state=12345

Thank you for your help.


azure-ad-app-registrationmicrosoft-graph-identity
image.png (72.0 KiB)
image.png (137.2 KiB)
image.png (30.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

This error usually occurs in multi-layer applications when the knownClientApplications parameter is not set in app manifest. I would recommend referring to Amanpreet's example and solution in this thread:

We have Tenant1 where APP1 (Web API) and App2 (Web or Native) multi-tenant applications are registered. We will be accessing App2 by a user account in Tenant2.

In Tenant1, register a web application named App1, which will be used as Web API. Once the application is registered, navigate to Exposing an API and set App ID URI. E.g. set the app ID URI to https://your_verified_domain/api/

Add required scopes such as read, user_impersonation etc. These scopes should be listed as https://your_verified_domain/api/read and https://your_verified_domain/api/user_impersonation on the Expose An API blade

Register another application in Tenant1 and name it App2. Navigate to API Permissions and add the API permissions which are exposed as scopes in the above steps.

Add Client ID of App1 to knownClientApplications parameter in the Manifest of App2.

Since it is a multi-tenant app, we need to accept the consent prompt to access this application in Tenant2. For that purpose, use below URL after updating the client_id parameter with App ID of App2. https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code

The consent prompt will be presented with the permissions added in step3. After accepting the consent, the service principal for both applications, App1 and App2 will be created in Tenant2.

In this case, you shouldn't get the above error and the login should be successful.

Reference: invalid_client error

See also:

The app needs access to a service

AADSTS650052

Let me know if you still see this error after trying the steps suggested in Aman's answer.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.