Global Admin cannot authorize azure app

Bill Bobagins 21 Reputation points
2022-04-28T22:23:29.57+00:00

I have an azure app configured for multi-tenant use, with callbacks etc configured and publisher verified.

I have an authentication link that looks like this:

https://login.microsoftonline.com/{tenantId}/adminconsent?client_id={appId}&state={someState}

I created a second portal.azure.com active directory (and set up a subscription, etc)

I have added the second AD Admin as an external user to the first tenant (where the app lives).

When the second AD admin clicks the auth link, I receive an error that an admin must authenticate this app, however I am global admin of this AD. (no other users even exist)

What am I missing?

197551-screen-shot-2022-04-28-at-41455-pm.png

I have blocked out information on this image, but it does correctly identify that it's trying to use the global admin account. I've tried in private windows/other browsers etc.

I've also tried other permutations of the auth link. For example:

https://login.microsoftonline.com/{tenantId}/v2.0/adminconsent?
client_id={appId}
&scope=https://graph.microsoft.com/Calendars.ReadWrite https://graph.microsoft.com/Mail.Send
&redirect_uri={url}
&state={state}

with the exact same results.

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
239 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,448 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,401 questions
{count} votes

Accepted answer
  1. Shashi Shailaj 7,606 Reputation points Microsoft Employee
    2022-05-10T18:36:50.167+00:00

    @Bill Bobagins ,

    Hope you are doing great . Apologies for the delayed response on this. I needed to get help internally to get a solution on this scenario to exactly figure out why we get the above error. The above error is obtained in a scenario where we are trying to create a service principal in the same tenant where we already have the enterprise application registered using the credential of second admin . Let me elaborate the same .

    • Service principal :- Service principal is a an application Identity created for any application which can be multi-tenant or single tenant . You can manage and list all the service principals within your tenant from the enterprise applications blade. In case of multi-tenant apps the original app registration is within the home tenant of the application and all other tenants create a service principal for using the app within their tenant .
    • App ID :- The App registration process creates an application Identity in your home tenant which is unique across Azure AD in the public azure cloud. This is the identity used within your applications which is called Client ID or app ID. You can create app registrations only in your home tenant and can list and manage them through app registration blade.

    Now lets come to the scenario of adding a multi tenant application from one tenant to other tenant . I am providing all the details along with the screenshots for easy reference. You can also check the article about how applications are added to Azure AD instance.

    Scenario

    ==========

    I registered a new Multitenant Application which is something I would like to let other users be able to use using app registrations blade within my tenant . The following are the details .

    Tenant Name :- Tenant 1
    App Name :- multitenant
    Tenant ID :- adf4235a-xxxx-xxxx-xxxx-58132e77a74f
    AppID :- 5ab3a8fe-xxxx-xxxx-xxxx-22735dce8ec4

    200657-image.png

    The following are the three permissions that are approved for the Microsoft Graph API .

    200658-image.png

    Now for any other Azure AD tenant owner to be able to use this application within their tenant . They would have to consent for it as the application uses certain permissions from the Microsoft graph API which require admin consent from a global admin as we can see above in the image form admin consent required column. The admin consent URL is the easiest way for any tenant administrator to create a service principal for the application they would like their whole organization to use. For this the global admin of the other tenant does not need to be added as a guest to the Tenant 1.

    I tried to replicate the error and found that if I use the same tenant ID of Tenant 1 in the admin consent URL , this would generate the same error as we have got earlier.

    admin000000@000000.onmicrosoft.com  
    Need admin approval  
    unverified  
      
    needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.  
      
    Have an admin account? Sign in with that account  
    Return to the application without granting consent   
    

    200628-image.png

    Root Cause :- The reason for this error is that the global admin of tenant 2is only a guest in the home tenant where the application is present which is tenant1. Hence essentially here we are trying to create a service principal in tenant 1 which is not our goal and thus the error.

    Solution :-

    The working admin consent URL should be designed as follows which will work as below.

    https://login.microsoftonline.com/ {tenantId of the tenant where we want to create the service principal}/adminconsent?client_id={unique appId of the application from tenant 1}&state={someState}

    Once we added the second tenant ID where we needed to create the service principal in the Admin consent URL, we got the consent prompt as shown below. .

    https://login.microsoftonline.com/0ca5b07f-18b4-xxxx-xxxx-xxxxxe1f6ded/adminconsent?client_id=5ab3a8fe-xxxx-xxxx-xxxx-22735dce8ec4&state=12345

    200704-image.png

    Once approved this application will be added to the tenant and will be available for users to use it . We will see a service principal in the enterprise applications blade in the second tenant . You can search and see the same as below in the enterprise applications blade.

    200706-image.png

    If you traverse the Enterprise application blade for this application in the second tenant and try to check the permissions you will see all of the permission which were granted and if they were consented for all the users in the tenant by the admin or not .

    200722-image.png

    Please note that an app registration in this case will not be created at all because the application registration is only done in the home tenant as explained earlier. So if you search the app in your app registration blade of tenant 2 . So the search results in no apps if searched within the app registrations blade as the application object for this application only will be found in the home tenant .

    200687-image.png

    Hope the information helps in understanding and explaining about how we can consent for an application registered in any other tenant . I am not sure how you had registered earlier where you did not need the second global admin step . Maybe it was a legacy registration or using a different API or an enterprise application from the gallery. I am not sure how exactly you were adding the application earlier but if you can provide more details I can try to help on that as well. The permissions that the app requires in your case seems to be coming from Microsoft Graph which would require global consent for the whole organization before anyone could use it . It may be possible you were using legacy service principals but I cannot be sure of that . If the explanation provided is helpful , please do accept the post as answer and in case you still have queries , please let me know and I will be happy to help further on this.

    Thank you.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------

    • Please don't forget to click on 130616-image.png whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.