The app needs access to a service ('api://AppId') that your organization 'xxxx' has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions

Altosio admin 1 Reputation point
2021-10-03T08:47:13.163+00:00

Hi,

I have 2 tenants, A and B. In tenant A, I created a Multiple Tenant Azure App called App1, and went to App Roles and created a new App Role with Group.ReadWrite.All scope as shown in this image.
137193-image.png

I then went to the API permissions and added this API like shown in this image:

137194-image.png

137195-image.png

Now, I want to call this URL:
TestApp https://login.microsoftonline.com/common/adminconsent?client_id={**App1Id**}&state=12345%20
from tenant B and that should create an Entreprise Application in tenant B with the GroupReadWrite All Application permission.

But it is throwing that error in the title. What am I missing?

I have a working example that I found on the Internet that does exactly what I want to achieve.
https://login.microsoftonline.com/common/adminconsent?client_id=e15e924b-85af-4797-9ec2-f785401e91f1&state=12345

Thank you for your help.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,587 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-10-05T21:02:46.947+00:00

    This error usually occurs in multi-layer applications when the knownClientApplications parameter is not set in app manifest. I would recommend referring to Amanpreet's example and solution in this thread:

    We have Tenant1 where APP1 (Web API) and App2 (Web or Native) multi-tenant applications are registered. We will be accessing App2 by a user account in Tenant2.

    In Tenant1, register a web application named App1, which will be used as Web API. Once the application is registered, navigate to Exposing an API and set App ID URI. E.g. set the app ID URI to https://your_verified_domain/api/

    Add required scopes such as read, user_impersonation etc. These scopes should be listed as https://your_verified_domain/api/read and https://your_verified_domain/api/user_impersonation on the Expose An API blade

    Register another application in Tenant1 and name it App2. Navigate to API Permissions and add the API permissions which are exposed as scopes in the above steps.

    Add Client ID of App1 to knownClientApplications parameter in the Manifest of App2.

    Since it is a multi-tenant app, we need to accept the consent prompt to access this application in Tenant2. For that purpose, use below URL after updating the client_id parameter with App ID of App2. https://login.microsoftonline.com/common/oauth2/authorize?client_id=1a8e25b8-xxxx-xxxx-xxxx-xxxxxxxxxxxx&prompt=admin_consent&response_type=code

    The consent prompt will be presented with the permissions added in step3. After accepting the consent, the service principal for both applications, App1 and App2 will be created in Tenant2.

    In this case, you shouldn't get the above error and the login should be successful.

    Reference: invalid_client error

    See also:

    The app needs access to a service

    AADSTS650052

    Let me know if you still see this error after trying the steps suggested in Aman's answer.

    0 comments