My application is registered in tenant A and requires the Microsoft Graph permission Invite guest users to the organization. The application is an API app without a GUI.
To give the application Graph access in Tenant A I do the following:
1. go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=
<My application ID>&prompt=admin_consent
2. Login with admin credentials for tenant A
Done - my Service Principal in tenant A now has Invite guest users to the organization permission
So far so good. Now I want to give the same application access to invite guest users in tenant B. How do I do that?
I've tried the same flow as before:
1. go to https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=
<My application ID>&prompt=admin_consent
2. Login with admin credentials for tenant B
This results in the following error message:
AADSTS50020: User account '[email protected]' from identity provider 'yyy.com' does not exist in tenant 'Tenant A' and cannot access the application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
It seems that this action tries to give the application the required permissions in Tenant A even though I login with admin credentials from Tenant B.
How do I give the application the required permissions in Tenant B? Is it possible to use the admin consent flow with a Service Principal ID from Tenant B instead of the global Application ID for my application?
Found the problem.
The admin account I tried to use for consent in tenant B had previously been invited as a guest account in tenant A. The guest account had since been removed from tenant A but it seems some kind of connection still exists somewhere that disrupts the admin consent flow.
When I created a new admin account in tenant B and used the new account (with no history at all in tenant A) to consent, it worked as expected.