Secure Application Model

Hello @JanoschUlmer 

Support ticket was opened: Your support request 2210110040002662 has been created

@ClaudioStallone Hello! I checked on your support ticket and it shows you had a call later this morning. Can you confirm? Have you been able to resolve your issue? 

@JanoschUlmer 

thank you for your reply, we have already made sure that the service principal (the app registration) is a member of the security group where the GDAP permission is mapped.

Unfortunately without success...

What can we do next?

Hi @ClaudioStallone ,

Your New-PartnerAccessToken command looks correct, and to confirm:

1. It used to work for clients with GDAP, but only in the last week it stopped?
2. It works for clients with DAP still?
3. You are renewing the RefreshToken at least every 90 days?
4. Nothing has changed on your end? Consent granted (and MFA was prompted), the account used to do Consent is still active, with MFA enabled, and IS a member of the AdminAgents Group and whatever GDAP Group has the Roles you need?)

From the other posts in the forums here I would guess you're not alone in experiencing the problem, perhaps there is an issue with GDAP vs DAP just now?

Unfortunately (well fortunately for me 🙂 we have not yet transitioned to GDAP, since MS announced they are extending the GDAP transition deadline, we have remained on DAP - so I can't easily test for you (without setting up a GDAP relationship, removing DAP for that client, and testing - which I did in the past and it worked). I don't know when the new deadline will be, but maybe these issues are contributing to it? @JanoschUlmer do you know when the new GDAP transition deadline will be announced? (it wasn't in the October announcement)

Perhaps @v-jillarmour can look into the GDAP permission problems if they are happening widely and can report back? Hopefully it's a temporary problem!

What happens if you add DAP back for one of the failing GDAP clients, does it start working again? Is the problem just GDAP itself, or is it just certain clients who happen to be on GDAP?

  --Saul

Hi @sansbacher 

Thanks for your feedback.

1. It used to work for clients with GDAP, but only in the last week it stopped?
   1. Yes, it used to work for GDAP customers as well.
2. It works for clients with DAP still?
   1. Yes currently it works only for DAP customers
3. You are renewing the RefreshToken at least every 90 days?
   1. Yes, I renew the refresh token every 40 day
4. Nothing has changed on your end? Consent granted (and MFA was prompted), the account used to do Consent is still active, with MFA enabled, and IS a member of the AdminAgents Group and whatever GDAP Group has the Roles you need?)
   1. No, nothing has changed for us since the last time.
5. What happens if you add DAP back for one of the failing GDAP clients, does it start working again? Is the problem just GDAP itself, or is it just certain clients who happen to be on GDAP?
   1. Yes it working gain, when we add DAP

@JanoschUlmer 

Are you aware of anything that says this is a general problem at Microsoft? Or is there something specific that needs to be considered for GDAP customers?
We are currently completely blocked until this is resolved!

Best Regards

I unfortunately am not part of the support or technical team, so am unable to look into any problems. I'm tracking this string and I'll do what I can do find resources to share. Apologies I don't know more! 🌻

I agree, you shouldn't need to do anything from a Customer Global Admin - I hope this is a typo "I consent with Global Admin account from the customer's tenant." You should be consenting with a Global Admin from your CSP/Partner Tenant.

No need to do anything with any accounts from any Customer tenants. In order to Consent you must use a Global Admin (since you are consenting on behalf of your entire organization - the CSP Partner). The UPN account (used for some of the connections) needs to be an AdminAgent (since it needs Delegated permissions to your Customers' tenants). These can be different accounts, but the UPN account needs to remain an AdminAgent (if you are using DAP). 

I have tested with GDAP and confirmed that: removing a Customer from DAP, but adding them to GDAP, and then adding that UPN account to one of the GDAP Security Groups (eg. one with Global Admin role) works.

I'm not sure what the issue is. Have you tried with multiple Customers? If some work and some don't, can you see their Subscriptions when logged in to the Azure management web GUI from the Partner Center? If not, you may need to wrest control back.

You said "I managed to successfully connect to Partner Center, Exchange Online, AzureAD and MSOL" -- meaning you can connect to multiple Customers (one at a time) and access their data using, say, Get-Mailbox and Get-AzureADUser?

If the issue is just with the 'https://management.azure.com/user_impersonation' scope then I suspect some permission is missing from your Azure AD App Registration. Did you add the permissions for Azure Service Management and Microsoft Graph as "Delegated" (not Application) and they show as Status = Granted for YourTenantName with green check marks?

Like:

If so, maybe there are other ones that need to be added I had already added, but didn't know I needed. Here's the rest of mine:

Maybe add those too? I mainly use: Azure, Azure AD, MSol, and Exchange Online.

@JanoschUlmer  I have used MgGraph module, you can connect with a new MS Graph Token:

$graphToken = New-PartnerAccessToken -ApplicationId $applicationId -Scopes ‘https://graph.microsoft.com/.default’ -RefreshToken $refreshtoken -Credential $credential -Tenant $tenantID

and:

Connect-MgGraph -AccessToken $graphToken.AccessToken

Then something like (or any Mg cmdlet):

Invoke-GraphRequest -Method GET -Uri 'https://graph.microsoft.com/v1.0/Groups/'

But I find it easier to just do direct API calls since all the many (MANY!) MgGraph cmdlets are just thin wrappers for every API endpoint and every REST verb, and don't provide much actual "value" in terms of wrapping up useful functions into PowerShell functions.

Anyway, @igor-stajcic you could try re-creating your Azure AD app, the official process is listed here, which has a section for Azure PowerShell.

But my money is on A) you need to double check the API permissions on the App Registration, and B) do all Consents with your Global Admin + AdminAgent accounts - not Customer ones. (AdminAgent if DAP, or whatever group with the correct Roles -> Group mapping you have set up for GDAP)

In looking at my code:

1. I always connect to MY CSP Partner Tenant first, grab all the Customers/Clients, then disconnect.
2. Then use a foreach ($Customer in $AllCustomers) { ... } loop
3. In that loop I connect to the Customer's Azure AD (because I invariably need to) which involves getting all new Customer Azure AD and Graph tokens, and then Connect-AzureAD with them and the UPN account (which has AdminAgent permissions)
4. I can then do things like: Get-AzureADUser, and not need to specify any -Tenant or -TenantID, etc.
5. Then connecting to the Customer's Azure which involves getting all new Customer Graph and Azure tokens, running Clear-AzContext, then Connect-AzAccount with the Tokens and the UPN account.
6. I can then do Azure things, like Get-AzContext or Get-AzVm without needing to add any -Tenant or -TenantID, it just works.
7. When done I disconnect both before looping again. (if processes take longer than 60 mins you'll need to renew your AccessTokens...)

I'm using AzureAD module 2.0.2.135. For the Az module I'm using version 7.5.0. I think version 7 is the minimum version now. (it has Az.Accounts 2.9.0 and Az.Resources 6.0.1 - those are the critical ones to connect)

I hope some of that helps!

   --Saul

Hello  @sansbacher 

Thank you for such a detailed reply.

Here is what I did:

My Partner Center account in MFA enabled and has Global Admin and Admin Agent permissions in Partner Center. This will not stay that way, but for now, I want to eliminate the permissions problem at this stage of troubleshooting.

I created the application in my Partner Center tenant using the script from the link you posted. https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/m-p/15421/highlight/true#M125

I ran the script with PowerShell 5.1, did all the consents and authentication prompts using my Partner Center account. The script ran without issues.

After the application was created I moved urn:ietf:wg:oauth:2.0:oob redirect URI from Web to Public client/native (mobile & desktop).

I added the additional permissions as you suggested and Granted Admin Consent

Azure Service Management:
    user_impersonation

Microsoft Graph:
    Directory.AccessAsUser.All
    offline_access
    openid

Then I tried to connect to Partner Center, Exchange Online, AzureAD, MSOL and AzAccount modules using the application ID/Secret and the tokens generated by the script.

I manged to successfully connect to Partner Center, Exchange Online, AzureAD and MSOL.

But AzAccount module is still not working.

When I try

$graphTok = New-PartnerAccessToken -ApplicationId $Creds.UserName -Credential $Creds -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $CustomerTenantID

I get the Graph token

When I try

$azureTok = New-PartnerAccessToken -ApplicationId $Creds.UserName -Credential $Creds -RefreshToken $refreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $CustomerTenantID

I get 

New-PartnerAccessToken : AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxx-xxxx-xxxxx' named 'App Name'. Send an interactive authorization request for this user and resource.

Then I did the client consent using the following URL

https://login.microsoftonline.com/<Customer Tenant ID>/oauth2/v2.0/authorize?client_id=<Application ID>&response_type=code&response_mode=query&scope=https://management.azure.com//user_impersonation&state=12345&prompt=consent

I consent with Global Admin account from the customer's tenant.

After that I get Azure Management Token.

Then I ran 

Connect-AzAccount -AccessToken $azureTok.AccessToken -AccountId $UPN -GraphAccessToken $graphTok.AccessToken -TenantId $CustomerTenantID

I get connected, but I still can’t set the context. The customer tenant that I'm working with has two active subscriptions and running get-azcontext -ListAvailable comes empty as before, so I'm not able to set the Subscription and therefore I'm unable to use the AzAccount module against the customer's tenant.

What am I missing?

Hello @igor-stajcic 

we currently have the same problem.

Do I understand correctly that new, the Admin Consent at the customer tenant also be set?

What is the solution here?

Hi @igor-stajcic, @sansbacher 

Link to my post here with the solution:
https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/MS-Graph-and-Partner-GDAP-access-customer-tenant-via-graph/m-p/80048/highlight/true#M359

@igor-stajcic ,

Just wanted to add that @ClaudioStallone is correct, what he found works. I was able to work out the exact steps based on what Janosch posted, and confirmed it works with Connect-AzAccount and bypasses the AADSTS65001 error. You can see my steps and info in the same thread Claudio linked to here:

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/MS-Graph-and-Partner-GDAP-access-customer-tenant-via-graph/m-p/80631/highlight/true#M364

I hope that helps!

   --Saul