MultiTenant App - Error AADSTS650056 when using from another tenant

Question

Dear Team,
I have following issue:
I have created a MultiTenant app with ID 654c6d0b-e470-440c-890b-3b6d5766b333 is in tenant 0faef0c2-2d86-4c71-80b3-587a182466bb.
I have tested OAUTH2 with this app and it works when I try to sign in an user from the tenant 0faef0c2-2d86-4c71-80b3-587a182466bb.

Now I want to sign a user from tenant 614b5d4b-fc61-44ef-9bfd-55acf4e6f5c8 to test the mutlitenancy.
However I get the error AADSTS650056.

I have addedd the app and delegated permissions in the tenant 0faef0c2-2d86-4c71-80b3-587a182466bb.
I do not even see a sign in request in the sign-in logs

Answer 1

Hi @Kamen

First, make sure your application has been registered as a multi-tenant application in the original tenant.

Next you need to run the admin consent url: https://login.microsoftonline.com/{target-tenant-id}/adminconsent?client_id={client-id} in your browser and log in the administrator of the target tenant and consent, after that the multi-tenant application will be added to the target tenant as an enterprise application, and it will also have the permissions you granted in the original tenant.

Finally you will be able to log in to the multi-tenant application with a user in the target tenant.

https://login.microsoftonline.com/{target tenant id}/oauth2/v2.0/authorize?  
client_id={client app client id}  
&response_type=code  
&redirect_uri={redirect_uri}  
&response_mode=query  
&scope=https://graph.microsoft.com/.default  
&state=12345  

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@CarlZhao-MSFT
Thanks again for the hints!
I see the app in the enterprise apps of the destination tenant, however I still cannot sign in. I get the error:
AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 654c6d0b-e470-440c-890b-3b6d5766b333.
Trace ID: d5134408-1ddc-4425-a885-4e8adf053c00
Correlation ID: 40ec368c-6910-409e-bd84-b449ad0b27fa
Timestamp: 2022-01-14 16:04:43Z

I have granted the permissions also in the destination tenant:

But I still get the same error.

Are you available for a quick meeting to troublehoot this?

I already changed the redirect URL and did this step yesterday:
https://login.microsoftonline.com/{target tenant id}/adminconsent?client_id={client id}&state=12345&redirect_uri={redirect_uri}

Answer 3

@CarlZhao-MSFT

Good Morning CarlZhao,
yes I did, but it did not help.
I am logging in the user of the target tenant and get the window to approve the app.
Then I get redirected to the "redirect_uri" (the redirect URL is not public resolvable, I do a DNS to a private IP in my infrastructure.)
I also tried playing with the redirect URL - i.e. redirect_uri=http://localhost/myapp/permissions

Then when I try to use the app and sign in an user from the target tenant, I get the AADSTS650056 error

Answer 4

@CarlZhao-MSFT
Good Morning CarlZhao, thanks for the follow up, I have tested this in the production tenant using the same steps and it did work.
However it is still not working in the Proof of Concept tenant.
Is there an option to have a remote session to troubleshoot this?