This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 15%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
I am setting up an enterprise application where third-party applications should be able to authenticate into it using our institutional SSO. The enterprise application has a GUID Client ID provided (e.g., 12345678-1234-1234-1234-1234567890ab) and I am indeed able to log into the application both through the public URL (e.g., https://myapp.myinstitution.edu) and using applications under my control that are aware of the Client ID.
The issue comes when I try to log into it with a third-party application like PowerBI. PowerBI, being outside my control, does not know the Client ID and attempts to log in using the public URL as the resource principal (https://myapp.myinstitution.edu).
My assumption is that somewhere I need to inform Azure Active Directory that the resource principal known to third-party apps (e.g., https://myapp.myinstitution.edu) is one and the same as my client ID (e.g., 12345678-1234-1234-1234-1234567890ab). My belief was that the correct way to do this would be to configure a Publisher Domain under the Branding section under App Registrations, but this did not resolve the issue.
How do I inform Active Directory that certain resource principals are synonymous with my application's Client ID?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Which guide are you following for this? The error you referenced usually appears if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant, or the App ID and App Secret are not updated in the API management portal.
Unfortunately, I don't know that there is a guide or instructions for what I'm trying to do. I believe the reason for the error is that third-party applications like PowerBI do not have any way to know what my application's GUID Client ID is. Instead, they attempt to authenticate with my application using the endpoint they know as the resource principal, like https://myapp.myinstitution.edu. When their OAuth2 request hits Active Directory, then, Active Directory is correctly reporting error AADSTS500011 because the resource principal requested doesn't exist and certainly is not tied to any application that it knows about.
When the client application is under my control or when the user logs into my application directly, I can tell it to send its OAuth2 request using my GUID Client ID and everything works just fine. Specifically, then, I need to know how to connect a resource principal like https://myapp.myinstitution.edu to my GUID client ID in Active Directory.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 60%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
How this is helpful? You basically copy/pasted the error message which says nothing how to get it fixed.
I was looking for more details around the steps the user was following but did not see the response due to a notification outage in Microsoft Q&A. The error itself is usually resolved by granting admin consent in the app registration under API permissions.
Thank you, I've done that, it looks slightly different for me 
and still the same AADSTS500011 error, any other steps you can suggest?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
Hi BenjaminLiSauerwine-6547,
Were you ever able to resolve this issue?
I'm having the identical problem with an app-service and power bi desktop.
I apologize that it's been so long since I've encountered this issue that I may have forgotten some important details. Further, checking my e-mail history, not all of what was done on the institutional AD admin side was ever made clear to me.
As far as I can tell looking at the Active Directory application (which in my case was an instance of HAPI FHIR connecting to PowerBI's FHIR connector), this is what needs to happen:
In Azure AD App Registrations:
Not all of that may be strictly necessary, but those are the steps I can reconstruct from my e-mail and is all that is directly visible in my AD application.
If that still doesn't work, there was one additional note I found in the e-mail thread, which was that the AD admin had to consent for "Power Query for Excel" also. I can't find any evidence that this actually happened in Azure Portal, though, so your mileage there may vary.