multi-tenant admin consent fails with "AADSTS90094"

Question

I have the following setup:

• 2 tenants, T-1 and T-2
• A multi-tenant app A registered in T-1.
  • It requires admin consent for the Graph API
  • In the manifest, I have "availableToOtherTenants": true and "signInAudience": "AzureADandPersonalMicrosoftAccount"
• I have an admin user U-2 for T-2.
• U-2 is invited to T-1 as a guest and accepts.
• U-2 attempts to provide admin consent for the app in T-1 (A) via the url https://login.microsoftonline.com/${T-1 guid}/adminconsent?${params}

At this point, I get redirected to an error page with the following info:

---

A-1 needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.

• Request Id: bd83872a-aa37-440f-8a2e-82185f4f4300
• Correlation Id: 09219117-2532-4705-91f4-3447647feed0
• Timestamp: 2019-03-05T18:35:05Z
• Message: AADSTS90094: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators.

---

FYI I had Advanced diagnostics enabled.

Any clues on what I could try next?

Answer 1

It sounds like you are trying to use U-2 to do admin consent who is not an admin in T-1.

U-2 attempts to provide admin consent for the app in T-1

Only admins in T-1 can provide admin consent in T-1. In your case that would be U-1 I believe.