Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Reply
JohnBenes
Level 1 Contributor

Unable to create delegated admin relationship with Graph

I am getting a token by doing a POST to /oauth2/v2.0/token with content $"{ConfigurationParams.GdapAdminClientId}&scope=https://graph.microsoft.com/.default&client_secret={ConfigurationParams.GdapAdminClientSecret}&grant_type=client_credentials". 

 

The associated Azure App has this DelegatedAdminRelationship.ReadWrite.All as a delegated permission. I am receiving a token and validated that it contains:  "roles": ["DelegatedAdminRelationship.ReadWrite.All"].

 

But when I POST to https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships

I receive the following error:

{"error":{"code":"forbidden","message":"Access to the resource is restricted.","innerError":{"code":"forbiddenUserDoesNotHaveAccess","message":"The user (principal) does not have the required permissions to perform the specified action on the resource."

 

What

2 ACCEPTED SOLUTIONS
JanoschUlmer
Microsoft

Does not matter - At the step where you getting the authorization code, before you create the token, you will be asked to sign in explicitly, see also Step 1-3 here: https://learn.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#get-authorization-code 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

View solution in original post

JanoschUlmer
Microsoft

@JohnBenes : to be clear - App+User authentication schema does not mean that a user continuously needs to go through interactive authentication prompts, you just need to this one time to create the token.

Usually Partners just create one "service account" user that is not personalized, add this to the AdminAgent  Groups (or groups used for GDAP permissions) and then use the pw/MFA associated to this account only once for setting this up. After that credentials for this user are securely stored and are only ever needed again if you need to modify permissions and thus need to create a new token.

 

For GDAP API there is no workaround, since GDAP requires delegated (app+user) permissions.

 

As mentioned, you can reach out to https://aka.ms/technicalservices  for guidance.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

View solution in original post

6 REPLIES 6
JanoschUlmer
Microsoft

@JohnBenes - This is app+user authentication, so the user used for creating the token needs to have permissions as well, meaning the user needs to be in AdminAgent group in Partner Center.

You can raise a request in Technical Presales & Deployment Services team to get guidance on how to work Secure App Model/App+User and GraphAPI - at least we could check if the overall approach is valid and discuss other best practices. See https://aka.ms/technicalservices 

But maybe others have additional ideas here - I'm also not that familiar with REST API syntax, I'm more a PowerShell guy 🙂

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
JohnBenes
Level 1 Contributor

@JanoschUlmer thank you for your reply. I am a member of two domains; a corporate domain that  I use to log into my PC, and a second domain for doing the CSP development. I am not a privileged user in the corporate domain, but am in the CSP sandbox domain. If I'm logged into my PC using the corporate domain and also have a browser open where I'm logged into the CSP sandbox domain, domain will be used to check my user permission?

JanoschUlmer
Microsoft

Does not matter - At the step where you getting the authorization code, before you create the token, you will be asked to sign in explicitly, see also Step 1-3 here: https://learn.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#get-authorization-code 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
JohnBenes
Level 1 Contributor

I'll have to follow up with Professional Services. This code will be running in a web service, without an associated authenticated user, so we'll have to see if there is a work around.

JanoschUlmer
Microsoft

@JohnBenes : to be clear - App+User authentication schema does not mean that a user continuously needs to go through interactive authentication prompts, you just need to this one time to create the token.

Usually Partners just create one "service account" user that is not personalized, add this to the AdminAgent  Groups (or groups used for GDAP permissions) and then use the pw/MFA associated to this account only once for setting this up. After that credentials for this user are securely stored and are only ever needed again if you need to modify permissions and thus need to create a new token.

 

For GDAP API there is no workaround, since GDAP requires delegated (app+user) permissions.

 

As mentioned, you can reach out to https://aka.ms/technicalservices  for guidance.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
JohnBenes
Level 1 Contributor

I forgot to mention that I did grant consent to the privilege in the Azure portal.