Menu
We are using multiple directories (TENANT_A, TENANT_B) on Azure. The goal is to create a service principal (Application), _SP_APP, inside TENANT_A which is granted access into TENANT_B. We want to use this service principal in script to manage both directory easily. One of the script is to make new Application Registration inside TENANT_B AND to grant ADMIN CONSENT for these applications.
# Login with service principal of multiple tenants application
az login --service-principal -u _SP_APP -p <PASSWORD> --tenant TENANT_B
# Creating application and fetching ID
_OBJECT_ID=`az ad app create ...`
# Granting Admin Consent
az ad app permission admin-consent --id $_OBJECT_ID
# ERROR
Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"AADSTS50058: A silent sign-in request was sent but no user is signed in.\r\nTrace ID: 9c9bd004-a97a-4543-8ff0-e314de77a700\r\nCorrelation ID: 44c79409-2f3e-43de-a84b-1e5a42e382e7\r\nTimestamp: 2019-10-28 15:54:20Z" ...
What is strange is that when we az login with a Global Admin User and execute the script, it works fine.
Did we miss something to allow this service principal to be able to grant admin-consent or is it something only "user" can do? (I did not find any response in microsoft azure documentation).
Thank you
201
I have confirmed with Azure support engineer. We can not use service principal to grant admin-consent.
If you must use service principal to do this, you can use Microsoft Graph api. It will consent permissions automatically.
POST https://graph.microsoft.com/beta/xx.onmicrosoft.com/oauth2PermissionGrants
{
"clientId": "clientId-value",
"consentType": "consentType-value",
"expiryTime": "2016-10-19T10:37:00Z",
"id": "id-value",
"principalId": "principalId-value",
"resourceId": "resourceId-value"
}
To call this api, you need to provide an access token, refer to this document for more details.
119
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
