Reputation: 97
Azure Admin Consent in multi tenant not working
I've some problems with the admin consent in a multi tenant environment. So here is my structur.
- Tenant 1
- Tenant 2
I've got registered one ActiveDirectory Aapp in Tenant 1, called "App1". In this App, I set i.e. permissions for Microsoft Graph. Then I granted this permission.
Now I want to have also this App1 in my Tenant 2, so I do an AdminConsent with: https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
It worked fine. A few minutes later I saw App1 in Tenant2 and I was able i.e. to give access right to App1 for Users of Tenant2. No problem.
So then I had to give my App1 a few more permissions. So I clicked "App registrations" in Tenant1 and gave more permissions for Microsoft Graph. Then I clicked to "Enterprise Applications" in Tenant1, selected my App1 -> Permission and then "Grant admin consent for tenant1". A new browser was opened and I was able to do the admin consent for App1 in Tenant1.
Then I thought that I have to do the same in Tenant2, because it works the first time. So in Tenant2 I also navigated to ActiveDirectory -> Enterprise Applications -> selected my App1 -> Permissions Here I saw the first permissions which I granted. Then I clicked to "Grant admin consent for Tenant2". A new browser was opened, but now it failed with folowwing error: https://myRedirectURL/?error=access_denied&error_description=AADSTS65005%3a+The+application+%clientID_of_App1%27+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.%0d%0aTrace+ID%TraceID%0d%0aCorrelation+ID%CorrelationIDaTimestampTimestamp&admin_consent=True&tenant=TenantID_of_Tenant2
Better to read: Error:
"AADSTS65005. The application ID_App1 asked for permissions to access a resource that has been removed or is no longer available. Contatct the app vendor."
I get the same error when I invoke the URL https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
But I didn't do anything...so wheres the problem?
Upvotes: 0
Views: 997
Answers (1)
Reputation: 7728
For your Redirect URI error you can try these steps:
- Set the resource in your request to Azure AD.
- Ensure that the client Id of the WebApp is configured in the WebApi's "knowClientApplications" array property in the manifest file
- Ensure that all permissions are correct (APIs are added as delegated permissions to the client).
- Ensure that all services (web app & apis) are multi tenant
- Update manifest with:
"availableToOtherTenants": true, "knownClientApplications": [ "{client app application id}" ],
See also the troubleshooting steps in these similar threads:
Azure AD error when fetching access token & login
Upvotes: 1
Related Questions
- Admin Consent for users
- Multitenant API - Admin consent ERROR https://login.microsoftonline.com/organizations/v2.0/adminconsent AADSTS90009
- Is Admin consent always required in an Azure AD Multi tenant environment?
- Azure Active Directory needs Admin Approval after setting prompt =consent
- multi-tenant admin consent fails with "AADSTS90094"
- Azure AD admin consent required when it shouldn't
- Getting error for users "AADSTS90093: Does not have access to consent." after admin has granted consent
- Azure AD User login fails even after admin consent in multi tenant web app
- Azure AD admin consent from the Azure portal
- Why Azure AD fails to login non-admins in multi-tenant scenario?