Using the following endpoint acting as the Admin on the tenantB I want to register a multitenant API App defined in another tenantA:

https://login.microsoftonline.com/{tenantB}/v2.0/adminconsent?
client_id={GUIDAppIDInTenantA}
&redirect_uri=http://localhost:8080/myredirecturi
&scope=api://{GUIDAppIDInTenantA}/.default

I am getting this error:

AADSTS90009 Application is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier

I am using the GUID based App Identifier from TenantA. I get the login page and after signing in, I am immediately redirected to the redirect_uri with the error above.

The post OAuth 2.0 and Azure Active Directory - error AADSTS90009 uses a different endpoint and mentions using the GUIDs that I am already using

3

There are 3 answers

0
iamnicoj On BEST ANSWER

First add the ‘openid profile’ scope like this
https://login.microsoftonline.com/secondTenandID/v2.0/adminconsent?client_id={APP_IP}&redirect_uri={redirect_URI}&scope=openid+profile

This will register the APP (and trust the main Tenant)

Second, submit another request with the actual Multitenant API scope using this format

 https://login.microsoftonline.com/secondTenandID/v2.0/adminconsent?client_id={APP_IP}&redirect_uri={redirect_URI}&scope={APP ID}/.default

this way the APP will be registered with the whole scope of permissions from the main tenant in the secondary tenant.

3
AlfredoRevilla-MSFT On

Replace

&scope=api://{GUIDAppIDInTenantA}/.default

with

&scope={GUIDAppIDInTenantA}/.default

0
LastTribunal On

All you need is &scope=.default https://login.microsoftonline.com/{ConsentingTid}/v2.0/adminconsent?client_id={WebOrSpaAppId}&redirect_uri={RedirectUri}&scope=.default

No need to spell out the app id twice.

If all you are doing is getting consent for you API, you will only need to consent once.

Also, in your MSAL2 client code:

interactionType: InteractionType.Redirect,
      authRequest: {
        scopes: [
          '.default'
        ]
      }