AADSTS650052: The app needs access to a service (\"api://4a****96-****-****-****-f003ddbb****/main\") that your organization \"aa****38-****-****-****-1d4c3****dcb\" has not subscribed to or enabled.

PRUTHWIRAJ JAGADALE 1 Reputation point
2021-02-04T07:16:17.037+00:00

I am getting the below error in multi-tenant implementation, I have a chain of app registration.

AADSTS650052: The app needs access to a service (\"api://4a****96-****-****-****-f003ddbb****/main\") that your organization \"aa****38-****-****-****-1d4c3****dcb\" has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.

Suppose I have three app registration App A, App B, App C and those apps have relation like below:

  1. In App B given the permission to access App C
  2. In App A given the permission to access App B
  3. There is no direct relation between App A and App C

It is a chain of permissions. I have referred below article but its not working and I have same scenario.

https://joonasw.net/view/aad-api-chains-and-cyclic-dependencies

Please help me on this, Thanks in advance

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,456 Reputation points Microsoft Employee
    2021-02-04T22:07:50.96+00:00

    @PRUTHWIRAJ JAGADALE
    Thank you for your detailed post!

    Within the article that you referenced - Azure AD Multi-tenant Apps: API Chains and Cyclic Dependencies, the author ran into the same error message you did. However, they were able to resolve their issue a little further down, as seen in the screenshot below.
    64185-image.png

    The author also describes in their conclusion that: "based on my experiments, Azure AD does not traverse API chains to gather the permissions required for consent. It only checks the direct dependencies of the client. So make sure that your client requires access to all the APIs in the chain. And then also ensure the client is a known client application of all the APIs. The APIs in the chain should still require access to the APIs they need to use. But they do not need to be known clients of them."

    I hope this helps!
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  2. JamesTran-MSFT 36,456 Reputation points Microsoft Employee
    2021-02-08T19:02:06.29+00:00

    @PRUTHWIRAJ JAGADALE
    Thank you for your time and patience! I received an update from my team regarding this and will post the update below.

    Update:
    Question 1: I have chain of 100 App registration then do I need to give the permission to all 99 Apps in to the 100th App to access those?

    • Theoretically, yes, you'll need to give permission to all the middle tier applications. As you're using a chain of apps/APIs, hence, client must require access to all APIs in the chain, no matter if it uses them directly or not. Again, not to forget here you're using multi-tenant apps. Depending on the architecture or usage of the application, you may consider the following strategies to optimize the flow. The ultimate goal is to ensure proper consent is given so that the client apps can call the middle-tier apps, and the middle tier app has permission to call the back-end resource. For more info.

    Question 2: I don't want to give the direct access to App C from App A. App C should not be accessible using the token generated for App A. Using your approach is it possible?

    • The above is not possible using this approach. But you can explore the Conditional Access developer guide which talks about a similar scenario.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.