My goal here is to be able to use the service principal of an Enterprise Application in source tenant to authenticate towards/connect to destination tenants as Global Administrator.
In source tenant I have added an Enterprise Application. I am able to successfully connect to this tenant with this EA service principal using Connect-AzAccount (providing secret in Credential parameter).
Connect-AzAccount -ServicePrincipal -Credential $srcCredentials -Tenant $srcTenantId -Scope Process -ErrorAction Stop
On destination tenant I use a Global Administrator user to invite the service principal from source tenant (MsGrap) using New-MgInvitation.
New-MgInvitation -InvitedUserType Member -Status Completed -InvitedUserDisplayName "Auto" -InvitedUserEmailAddress "$srcPrincipalObjectId@$srcTenantId" -InviteRedirectUrl "https://myapps.microsoft.com" -SendInvitationMessage:$false -ErrorAction Stop
I then add role of "Global Administrator" to it. When I perform Connect-AzAccount on destination tenant using credentials for Enterprise Application in source tenant, I get error:
Connect-AzAccount -ServicePrincipal -Credential $srcCredentials -Tenant $dstTenantId -Scope Process -ErrorAction Stop
WARNING: The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant.
What am I missing?
