preAuthorizedApplications does not work in multi tier applikation

Pawlik Michael 1 Reputation point
2021-01-27T09:37:06.733+00:00

Hey,

i've got following scenario:

my client (Azure App 1) -> my web-api 1 (Azure App 2) -> my web-api 2 (Azure App 3) -> graph

My goal is to receive only one consent when logging in via the client application. The consent should be done automatically for both web-apis and graph. To make this possible I have tested it with "preAuthorizedApplications" and "preAuthorizedApplications", but without success. With one web-api it works without problems. With the two web-apis i got always the flowing error: "The app needs access to a service ... that your organization ... has not subscribed to or enabled." It is important that the client application has no knowledge about web-api 2 or graph.

Is this scenario possible at all and if so, how would one configure it correctly?

Thanks in advance

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,866 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,336 Reputation points
    2021-01-27T13:44:34.007+00:00

    Hello @Pawlik Michael · Thank you for reaching out.

    In order to achieve your requirement, you need to use knownClientApplications attribute in app manifest. I have worked on a POC, where I combined permissions of a custom api and graph api in a single consent prompt. Below are the steps that I performed:

    Tenant1:
    App2 (Web App) and Exposed as API with App ID URI: https://verified_domain/api2/
    Added below scopes:

    • https://verified_domain/api2/user_impersonation
    • https://verified_domain/api2/read

    image

    App1 (Web App) and configured with below permissions:

    • App2 - https://verified_domain/api2/read and https://verified_domain/api2/user_impersonation
    • Microsoft Graph - Files.read and Mail.read

    image

    • Added Client ID of App 2 to knownClientApplications parameter within Manifest of App1.

    Tenant 2:
    Tried to access the application using below link and supplied credentials of Tenant 2’s admin. Confirmed that all permissions are present in the consent prompt:
    https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code
    image

    After accepting the consent, confirmed that service principal for both applications is created in tenant 2.
    image

    Hope this includes all the information that you were looking for.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

  2. Michael Pawlik 1 Reputation point
    2021-01-28T12:43:05.02+00:00

    Hello amanpreetsingh-msft,

    thanks for your anwere. The problem is, that this approach does not seem to work if you have three apps and the first one should not know anything abound the first one.

    my client (Azure App 1) -> my web-api 1 (Azure App 2) -> my web-api 2 (Azure App 3) -> graph

    My goal is to receive only one consent when logging in via the client application. The consent should be done automatically for both web-apis and graph. To make this possible I have tested it with "preAuthorizedApplications" and "preAuthorizedApplications", but without success. With one web-api it works without problems. With the two web-apis i got always the flowing error: "The app needs access to a service ... that your organization ... has not subscribed to or enabled." It is important that the client application has no knowledge about web-api 2 or graph.

    Thanks in advance

    0 comments No comments