Application permissions added in the app registration is not reflecting in the enterprise application of other tenant

lakshmi 746 Reputation points
2024-04-10T17:20:20.76+00:00

Hi Team,

We are using a multi tenant app registration for our chatbot. Bot has users from different tenants and we were able to use a single app registration for using the delegated MS graph permissions. While signing in, users from other tenants will be getting the 'Accept' button and on successful signing in, bot was able to validate the users using the token.

Currently, we have added few application permissions for accessing the MS permissions to schedule meeting and to get the presence of the user. We have upgraded the graph NuGet package to the latest version and did changes accordingly.

We were able to get the presence and able to schedule meeting with users who are in the tenant where the app registration is created.

For other tenant users, we are getting invalid user exceptions.

While creating the the graph client we have used the tenant id where app registration created and we got exception "Failed to execute GetChildThreadsV2Async."

Also we created graph client using the other customer tenant id who is using the same app registration , and got the below exception,

Missing role permissions on the request. API requires one of 'ChannelSettings.Read.All, Channel.ReadBasic.All, ChannelSettings.ReadWrite.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, ChannelSettings.Read.Group, ChannelSettings.Edit.Group, ChannelSettings.ReadWrite.Group'. Roles on the request ''. Resource specific consent grants on the request ''.

Below is the code used, (shared by MS team)

var scopes = new[] { "https://graph.microsoft.com/.default" };

var tenantId = <tenant id where app registration is created>

// Values from app registration
var clientId = "clientid";
var clientSecret = "secret";


var options = new TokenCredentialOptions                {                    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,                };                var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);                

var graphClient = new GraphServiceClient(clientSecretCredential, scopes); 
    

Please find the permission details in the actual app registration and the enterprise application added in other tenant.

Actual app registration permissions:

Screenshot 2024-04-03 191532

Same app registration in enterprise application of other tenants:

Admin Consent tab:

User's image

User Consent tab: Shows all the delegated permissions added.

User's image

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,030 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. CarlZhao-MSFT 42,026 Reputation points
    2024-04-11T06:18:43.4+00:00

    Hi @lakshmi

    This is because the application permissions you grant for your multi-tenant app in the home tenant have not yet been approved by the administrator of the other tenants, so these application permissions will not be synchronized to the target tenant.

    Before this, you should run the admin consent URL in the browser and contact the global administrator of the target tenant to log in and consent, and then your permissions will be reflected in the target tenant.

    https://login.microsoftonline.com/{tenant id of the target tenant}/adminconsent?client_id={client id}
    

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.