How does the app registered in Azure AD support multi tenants to request access token for SharePoint API?

shane2405 0 Reputation points
2024-05-30T01:12:24.0333333+00:00

I recently registered app in Azure AD for SharePoint Online access with OAuth authentication. The account type was set to "in any organizational directory (Multitenant) " , and the API permissions are set with the scope "SharePoint - AllSites.Manage" and granted admin consent.

accounttype

permissions

Everything is working fine with the accounts under the organization where the app was registered. Now I have a customer under another organization in Azure AD who wants to request the token with the same application ID to access their SharePoint API, but we got the error:

AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxx' named 'xxxxx'. Send an interactive authorization request for this user and resource.

request

I was wondering why the token request requires admin consent for the other tenant? The application is already set to support Multitenant and the admin consent was also granted. Please give me some suggestions of how to resolve the problem. Thank you in advanced.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,015 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,761 questions
Microsoft Q&A
Microsoft Q&A
Use this tag to share suggestions, feature requests, and bugs with the Microsoft Q&A team. The Microsoft Q&A team will evaluate your feedback on a regular basis and provide updates along the way.
633 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,104 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. RaytheonXie_MSFT 32,556 Reputation points Microsoft Vendor
    2024-05-30T06:42:08.67+00:00

    Hi @shane2405,

    This error usually occurs when you missed granting admin consent to the added scope while retrieving access token.

    To resolve the error, please check whether you exposed the API like below:

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Expose an API

    enter image description here

    After exposing the API, make sure to grant API permissions for it like below:

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> API permissions -> Add a permission -> My APIs -> Your API

    enter image description here

    After adding API permissions, make sure to grant admin consent if it is required. As you are trying to get access token, please check whether you enabled the below options:

    Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Authentication

    enter image description here

    Please check the below links if error still persists:

    azure active directory - InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID - Stack Overflow

    .net - "AADSTS65001: The user or administrator has not consented to use the application" occurs when token is acquired on behalf of a user - Stack Overflow


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Shweta Mathur 28,771 Reputation points Microsoft Employee
    2024-05-31T13:25:55.9+00:00

    Hi @shane2405 ,

    Thanks for reaching out.

    To achieve multi tenancy in organizations, users for another tenant (where application is not registered) need to ask for consent to access the application in their tenant.

    Suppose client application is on Entra ID Tenant B and user is on tenant A.

    Make sure to login in your multi-tenant API with user of Tenant A using

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client-id of Tenant B API}&response_type=code&redirect_uri={redirect URI registered in Tenant B API}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345 which will ask for user's consent

    Once the consent is provided, the service principal object of API of Tenant B gets registered in Tenant A. This API now can be found under Enterprise Registration Blade of Entra ID in Tenant A.

    Now, your client can add permission in Tenant by adding the API scopes under the API Permissions > Add a permission > APIs my organization uses.

    In this way users from tenant A can authenticate using their application.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.