How does the app registered in Azure AD support multi tenants to request access token for SharePoint API?

Question

I recently registered app in Azure AD for SharePoint Online access with OAuth authentication. The account type was set to "in any organizational directory (Multitenant) " , and the API permissions are set with the scope "SharePoint - AllSites.Manage" and granted admin consent.

accounttype

permissions

Everything is working fine with the accounts under the organization where the app was registered. Now I have a customer under another organization in Azure AD who wants to request the token with the same application ID to access their SharePoint API, but we got the error:

AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxx' named 'xxxxx'. Send an interactive authorization request for this user and resource.

request

I was wondering why the token request requires admin consent for the other tenant? The application is already set to support Multitenant and the admin consent was also granted. Please give me some suggestions of how to resolve the problem. Thank you in advanced.

Answer

Hi @shane2405,

This error usually occurs when you missed granting admin consent to the added scope while retrieving access token.

To resolve the error, please check whether you exposed the API like below:

Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Expose an API

enter image description here

After exposing the API, make sure to grant API permissions for it like below:

Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> API permissions -> Add a permission -> My APIs -> Your API

enter image description here

After adding API permissions, make sure to grant admin consent if it is required. As you are trying to get access token, please check whether you enabled the below options:

Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Authentication

enter image description here

Please check the below links if error still persists:

azure active directory - InteractionRequiredAuthError: AADSTS65001: The user or administrator has not consented to use the application with ID - Stack Overflow

.net - "AADSTS65001: The user or administrator has not consented to use the application" occurs when token is acquired on behalf of a user - Stack Overflow

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

Hi @shane2405 ,

Thanks for reaching out.

To achieve multi tenancy in organizations, users for another tenant (where application is not registered) need to ask for consent to access the application in their tenant.

Suppose client application is on Entra ID Tenant B and user is on tenant A.

Make sure to login in your multi-tenant API with user of Tenant A using

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client-id of Tenant B API}&response_type=code&redirect_uri={redirect URI registered in Tenant B API}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345 which will ask for user's consent

Once the consent is provided, the service principal object of API of Tenant B gets registered in Tenant A. This API now can be found under Enterprise Registration Blade of Entra ID in Tenant A.

Now, your client can add permission in Tenant by adding the API scopes under the API Permissions > Add a permission > APIs my organization uses.

In this way users from tenant A can authenticate using their application.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Share via

How does the app registered in Azure AD support multi tenants to request access token for SharePoint API?

2 answers