Application consent across tenants

Bronze Contributor

Hi,

I have registered application into Azure tenant X123 and I have set the permissions as well. Just waiting that admin consents them.  The idea is to allowing that application to read users from Azure tenant 1ABC. 

 

The instructions says: Construct the URL for granting tenant-wide admin consent So I have the consent URL: 
https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}

so something like following:

https://login.microsoftonline.com/X123-GUID/adminconsent?client_id=APP-GUID

 

The challenge comes when I open the consent URL, do the sign-in with account from tenant 1ABC, but that only gives me the error:

Error Code: 53003
Request Id: 72e23110-3b8e-42b8-b638-84a5e7503810
Correlation Id: e0f361ce-c301-4cv2-9428-0021b575f732
Timestamp: 2024-01-22T17:07:22.298Z
App name: My-User-Reader-App
App id: ffc39123-2eed-454d-9d2f-90z3f4cv2022
IP address: xyz.xyz.xyz.xyz
Device identifier: Not available
Device platform: Windows 10
Device state: Unregistered

 

If I take a look the Azure logs I can see my sign-in on the tenant 1ABC which says:

Sign-in error code: 53003
Failure reason: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

 

Quite same what this shows: https://login.microsoftonline.com/error?code=53003

 

The challenge is, there seems to be no Conditional Access policy listed anywhere which does this blocking. Does anybody knows if this error message is just a general message, or has anybody else fight with issue like this?

 

Could it be some other blocker than Conditional Access policy?

 

And need to highlight also, when doing regular sign-in to both tenants that is working just normally. Only issue is with the consent URL.

 

Or if you have any good ideas how the consent across tenants can be done in the easiest way, I'm happy to hear. Internet is full of those 

 

1 Reply

@Petri X 

 

Take a look at AAD sign-in logs on CA policy / policies