'Multitenant API - Admin consent ERROR https://login.microsoftonline.com/organizations/v2.0/adminconsent AADSTS90009

Using the following endpoint acting as the Admin on the tenantB I want to register a multitenant API App defined in another tenantA:

https://login.microsoftonline.com/{tenantB}/v2.0/adminconsent?
client_id={GUIDAppIDInTenantA}
&redirect_uri=http://localhost:8080/myredirecturi
&scope=api://{GUIDAppIDInTenantA}/.default

I am getting this error:

AADSTS90009 Application is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier

I am using the GUID based App Identifier from TenantA. I get the login page and after signing in, I am immediately redirected to the redirect_uri with the error above.

The post OAuth 2.0 and Azure Active Directory - error AADSTS90009 uses a different endpoint and mentions using the GUIDs that I am already using

azure-active-directorymulti-tenantazure-service-principal


Solution 1:[1]

First add the ‘openid profile’ scope like this
https://login.microsoftonline.com/secondTenandID/v2.0/adminconsent?client_id={APP_IP}&redirect_uri={redirect_URI}&scope=openid+profile

This will register the APP (and trust the main Tenant)

Second, submit another request with the actual Multitenant API scope using this format

 https://login.microsoftonline.com/secondTenandID/v2.0/adminconsent?client_id={APP_IP}&redirect_uri={redirect_URI}&scope={APP ID}/.default

this way the APP will be registered with the whole scope of permissions from the main tenant in the secondary tenant.

Solution 2:[2]

Replace

&scope=api://{GUIDAppIDInTenantA}/.default

with

&scope={GUIDAppIDInTenantA}/.default

Solution 3:[3]

All you need is &scope=.default https://login.microsoftonline.com/{ConsentingTid}/v2.0/adminconsent?client_id={WebOrSpaAppId}&redirect_uri={RedirectUri}&scope=.default

No need to spell out the app id twice.

If all you are doing is getting consent for you API, you will only need to consent once.

Also, in your MSAL2 client code:

interactionType: InteractionType.Redirect,
      authRequest: {
        scopes: [
          '.default'
        ]
      }

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 AlfredoRevilla-MSFT
Solution 3

Related Questions

Trying to create the database using ABP framework while DB Migration

How To Create A New Database For Each Tenant on Laravel Sail, Docker

Azure Ad multitenant applications registration with client credentials flow

Query through all provided schemas

Spring Boot Multitenant - Access data from multiple schema at the same time or per http request using spring boot

Design / Implement Transactional Outbox pattern in schema isolated multitenant application

How to authenticate users from different realms against a single application?

DRF/Multi-tenant - How to specify tenant host (domain) in unit tests?

Multi tenant in Firestore

I was trying to implement per tenant one database using ABP framework but couldn't succeed with that approach

Entity framework core multi tenant : auto increment column based in another column value

Hibernate + spring multi tenancy wrong schema selected

How to implement multi-tenancy in new Spring Authorization server

Synapse external table "Unauthorized"

How to redirect from VB.NET legacy web application login page to azure portal to validate azure ad with MFA