Search code examples
sharepointazure-active-directorymicrosoft-graph-apimulti-tenantmicrosoft-graph-sites

How to resolve 'invalid hostname for this tenancy' error when accessing Microsoft Graph API for multi-tenant app registration?

I have a multi-tenant app registration in Azure AD with permissions to Sites.Selected to use the Microsoft Graph API for reading/writing to SharePoint sites. Tenant B has successfully given admin consent through the generated admin consent link, resulting in an enterprise application in Tenant B. However, while I can access sites in Tenant A using the app registration, I receive an 'invalid hostname for this tenancy' error when trying to access sites in Tenant B.

How can I resolve this issue to access sites in Tenant B using the Microsoft Graph API?

Any help or guidance would be greatly appreciated. Thank you.

I tried calling "/sites/{hostName}:{serverRelativePath}" microsoft graph endpoint using a site from Tenant B which resulted in this error:

{"error":{"code":"invalidRequest","message":"Invalid hostname for this tenancy","innerError":{"date":"2024-07-04T08:03:02","request-id":"22ceb0ec-b377-4086-91ec-610ed637413f","client-request-id":"22ceb0ec-b377-4086-91ec-610ed637413f"}}}

Solution

  • Create a Multi-Tenant Microsoft Entra ID application in TenantA and granted Microsoft Graph Sites.Selected API permission:

    enter image description here

    In TenantB, created a Service Principal and granted admin consent:

    New-AzADServicePrincipal -ApplicationId <AppIDOfTenantAApp>

    enter image description here

    After Grant Admin Consent, permissions are granted to the TenantB Enterprise application:

    enter image description here

    As you are making use of Client Credential flow, you must set up an app-only principal with tenant permissions:

    • Sites.Selected API permission allows access only to the selected sites.
    • Hence you need to grant access app access to the site you want to access.

    Navigate to https://TenantBDomain.sharepoint.com/sites/SiteName/_layouts/15/appinv.aspx and sign in with TenantB user. Pass the TenantAAppID and give access by using the XML request:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
</AppPermissionRequests>

    enter image description here

    Click on create and Trust it:

    enter image description here

    Generate access token:

    https://login.microsoftonline.com/TenantBTenantID/oauth2/v2.0/token

client_id:TenantAAppID
client_secret:TenantAClientSecret
scope↵:https://graph.microsoft.com/.default
grant_type:client_credentials

    enter image description here

    Now, I am able to successfully access TenantB site using TenantA Microsoft Entra ID application:

    GET https://graph.microsoft.com/v1.0/sites/TenantBDomain.sharepoint.com:/sites/SiteName:/

    enter image description here

    If still the issue persists, make sure to pass Site ID instead of Site name to the API call you are passing.

    If you do not want to grant permissions in the Add-in to allow Full Access to the application, then refer this SO Thread by me.