how to add permissions across active directory? (problems with setting up multi-tenant app in azure)
Question
Now I have one App in Azure active directory1, and a web api in Azure active directory2. My aim is to allow users in AAD1 and AAD2 can both login the App.
So far I've enabled App and Api as multi-tenant, added each other in the manifest as known client application.
The things I've not finished yet: add one as a custom domain into the other, add permissions btw api and app, and I met some problems on these two.
Right now my error msg is:
An error has occurred while authorizing access via Authorization Server: unauthorized_client AADSTS65005: Invalid > resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration.
When I tried to give the access in the api, in the required permission list, I didn't see the web app (which is in the other directory). How should I do with it?
If I move both App and Api under the same directory, is there anyway that allows users from the other directory to login?
2 answers
solution1
1 2017-10-02 23:39:11
In order for you to see the Web API in Tenant 1 as an option for "Required Permission List", you need to provision the service principal for the Web API into Tenant 1.
You can do this a number of ways, but the easiest way may be to simply sign into the Web API by generating a Login URL. Once you login, using a user from Tenant 1, the service principal will be provisioned in the tenant, and then be an option available to select.
https://login.microsoftonline.com/common/oauth2/authorize?client_id=<appid>&response_type=code&redirect_uri=<replyurl>&resource=<resource>&prompt=consent
The other option might be to use AAD PowerShell to create a service principal based off your Web API App Id:
New-AzureADServicePrincipal
New-AzureADServicePrincipal -AccountEnabled $true -AppId $MyApp.AppId -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}
Once you have successfully put the service principal on your required permissions, the error message you described above should go away.
solution2
1 2017-10-03 06:04:47
In addition to Shawn Tabrizi's answer, you can also specify your API as a known client application of the App.
So in your App's manifest:
"knownClientApplications": [
"your-api-client-id"
]
Then if you try to authenticate to the App, it can do consent for the API as well at the same time.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.