Hero Banner

Key Resources and Guides

Find key resources and guides that you can accelerate implementations

Take the survey
Reply
JohnBenes
Level 1 Contributor
‎09-19-2022 10:16 AM
Level 1 Contributor
‎09-19-2022 10:16 AM

Unable to create delegated admin relationship with Graph

I am getting a token by doing a POST to /oauth2/v2.0/token with content $"{ConfigurationParams.GdapAdminClientId}&scope=https://graph.microsoft.com/.default&client_secret={ConfigurationParams.GdapAdminClientSecret}&grant_type=client_credentials". 

 

The associated Azure App has this DelegatedAdminRelationship.ReadWrite.All as a delegated permission. I am receiving a token and validated that it contains:  "roles": ["DelegatedAdminRelationship.ReadWrite.All"].

 

But when I POST to https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships

I receive the following error:

{"error":{"code":"forbidden","message":"Access to the resource is restricted.","innerError":{"code":"forbiddenUserDoesNotHaveAccess","message":"The user (principal) does not have the required permissions to perform the specified action on the resource."

 

What

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS
JanoschUlmer
Microsoft
‎09-19-2022 11:53 PM
Microsoft
In response to JohnBenes
‎09-19-2022 11:53 PM

Does not matter - At the step where you getting the authorization code, before you create the token, you will be asked to sign in explicitly, see also Step 1-3 here: https://learn.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#get-authorization-code 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

View solution in original post

JanoschUlmer
Microsoft
‎09-21-2022 03:54 AM
Microsoft
In response to JohnBenes
‎09-21-2022 03:54 AM

@JohnBenes : to be clear - App+User authentication schema does not mean that a user continuously needs to go through interactive authentication prompts, you just need to this one time to create the token.

Usually Partners just create one "service account" user that is not personalized, add this to the AdminAgent  Groups (or groups used for GDAP permissions) and then use the pw/MFA associated to this account only once for setting this up. After that credentials for this user are securely stored and are only ever needed again if you need to modify permissions and thus need to create a new token.

 

For GDAP API there is no workaround, since GDAP requires delegated (app+user) permissions.

 

As mentioned, you can reach out to https://aka.ms/technicalservices  for guidance.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

View solution in original post

6 REPLIES 6
JanoschUlmer
Microsoft
‎09-19-2022 12:42 PM
Microsoft
‎09-19-2022 12:42 PM

@JohnBenes - This is app+user authentication, so the user used for creating the token needs to have permissions as well, meaning the user needs to be in AdminAgent group in Partner Center.

You can raise a request in Technical Presales & Deployment Services team to get guidance on how to work Secure App Model/App+User and GraphAPI - at least we could check if the overall approach is valid and discuss other best practices. See https://aka.ms/technicalservices 

But maybe others have additional ideas here - I'm also not that familiar with REST API syntax, I'm more a PowerShell guy 🙂

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
0 Kudos
JohnBenes
Level 1 Contributor
‎09-19-2022 01:23 PM
Level 1 Contributor
In response to JanoschUlmer
‎09-19-2022 01:23 PM

@JanoschUlmer thank you for your reply. I am a member of two domains; a corporate domain that  I use to log into my PC, and a second domain for doing the CSP development. I am not a privileged user in the corporate domain, but am in the CSP sandbox domain. If I'm logged into my PC using the corporate domain and also have a browser open where I'm logged into the CSP sandbox domain, domain will be used to check my user permission?

0 Kudos
JanoschUlmer
Microsoft
‎09-19-2022 11:53 PM
Microsoft
In response to JohnBenes
‎09-19-2022 11:53 PM

Does not matter - At the step where you getting the authorization code, before you create the token, you will be asked to sign in explicitly, see also Step 1-3 here: https://learn.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#get-authorization-code 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
JohnBenes
Level 1 Contributor
‎09-20-2022 10:59 AM
Level 1 Contributor
In response to JanoschUlmer
‎09-20-2022 10:59 AM

I'll have to follow up with Professional Services. This code will be running in a web service, without an associated authenticated user, so we'll have to see if there is a work around.

0 Kudos
JanoschUlmer
Microsoft
‎09-21-2022 03:54 AM
Microsoft
In response to JohnBenes
‎09-21-2022 03:54 AM

@JohnBenes : to be clear - App+User authentication schema does not mean that a user continuously needs to go through interactive authentication prompts, you just need to this one time to create the token.

Usually Partners just create one "service account" user that is not personalized, add this to the AdminAgent  Groups (or groups used for GDAP permissions) and then use the pw/MFA associated to this account only once for setting this up. After that credentials for this user are securely stored and are only ever needed again if you need to modify permissions and thus need to create a new token.

 

For GDAP API there is no workaround, since GDAP requires delegated (app+user) permissions.

 

As mentioned, you can reach out to https://aka.ms/technicalservices  for guidance.

 

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
JohnBenes
Level 1 Contributor
‎09-19-2022 10:48 AM
Level 1 Contributor
‎09-19-2022 10:48 AM

I forgot to mention that I did grant consent to the privilege in the Azure portal.

0 Kudos
Follow Us
    Share