Hope you are doing great . Apologies for the delayed response on this. I needed to get help internally to get a solution on this scenario to exactly figure out why we get the above error. The above error is obtained in a scenario where we are trying to create a service principal in the same tenant where we already have the enterprise application registered using the credential of second admin . Let me elaborate the same .
- Service principal :- Service principal is a an application Identity created for any application which can be multi-tenant or single tenant . You can manage and list all the service principals within your tenant from the enterprise applications blade. In case of multi-tenant apps the original app registration is within the home tenant of the application and all other tenants create a service principal for using the app within their tenant .
- App ID :- The App registration process creates an application Identity in your home tenant which is unique across Azure AD in the public azure cloud. This is the identity used within your applications which is called Client ID or app ID. You can create app registrations only in your home tenant and can list and manage them through app registration blade.
Now lets come to the scenario of adding a multi tenant application from one tenant to other tenant . I am providing all the details along with the screenshots for easy reference. You can also check the article about how applications are added to Azure AD instance.
Scenario
==========
I registered a new Multitenant Application which is something I would like to let other users be able to use using app registrations blade within my tenant . The following are the details .
Tenant Name :- Tenant 1
App Name :- multitenant
Tenant ID :- adf4235a-xxxx-xxxx-xxxx-58132e77a74f
AppID :- 5ab3a8fe-xxxx-xxxx-xxxx-22735dce8ec4
The following are the three permissions that are approved for the Microsoft Graph API .
Now for any other Azure AD tenant owner to be able to use this application within their tenant . They would have to consent for it as the application uses certain permissions from the Microsoft graph API which require admin consent from a global admin as we can see above in the image form admin consent required column. The admin consent URL is the easiest way for any tenant administrator to create a service principal for the application they would like their whole organization to use. For this the global admin of the other tenant does not need to be added as a guest to the Tenant 1.
I tried to replicate the error and found that if I use the same tenant ID of Tenant 1 in the admin consent URL , this would generate the same error as we have got earlier.
admin000000@000000.onmicrosoft.com
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
Root Cause :- The reason for this error is that the global admin of tenant 2is only a guest in the home tenant where the application is present which is tenant1. Hence essentially here we are trying to create a service principal in tenant 1 which is not our goal and thus the error.
Solution :-
The working admin consent URL should be designed as follows which will work as below.
https://login.microsoftonline.com/ {tenantId of the tenant where we want to create the service principal}/adminconsent?client_id={unique appId of the application from tenant 1}&state={someState}
Once we added the second tenant ID where we needed to create the service principal in the Admin consent URL, we got the consent prompt as shown below. .
Once approved this application will be added to the tenant and will be available for users to use it . We will see a service principal in the enterprise applications blade in the second tenant . You can search and see the same as below in the enterprise applications blade.
If you traverse the Enterprise application blade for this application in the second tenant and try to check the permissions you will see all of the permission which were granted and if they were consented for all the users in the tenant by the admin or not .
Please note that an app registration in this case will not be created at all because the application registration is only done in the home tenant as explained earlier. So if you search the app in your app registration blade of tenant 2 . So the search results in no apps if searched within the app registrations blade as the application object for this application only will be found in the home tenant .
Hope the information helps in understanding and explaining about how we can consent for an application registered in any other tenant . I am not sure how you had registered earlier where you did not need the second global admin step . Maybe it was a legacy registration or using a different API or an enterprise application from the gallery. I am not sure how exactly you were adding the application earlier but if you can provide more details I can try to help on that as well. The permissions that the app requires in your case seems to be coming from Microsoft Graph which would require global consent for the whole organization before anyone could use it . It may be possible you were using legacy service principals but I cannot be sure of that . If the explanation provided is helpful , please do accept the post as answer and in case you still have queries , please let me know and I will be happy to help further on this.
Thank you.
----------------------------------------------------------------------------------------------------------------------------------------------------------
- Please don't forget to click on whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
- Want a reminder to come back and check responses? Here is how to subscribe to a notification
- If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators