Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 1 Contributor

Connect-AzureAD to Other Tenants with Secure Application Model

Hello! Is it possible to use Connect-AzureAD to connect to other tenants using the secure application model? Connect-AzureAD goes through for me, but when attempting to run something like Get-AzureADUser, I get the following error:

get-azureaduser : Error occurred while executing GetUsers
Code: Request_BadRequest
Message: Invalid domain name in the request url.
RequestId: 84f9ac40-c6cb-4a58-beaf-b69dd1038b5e
DateTimeStamp: Sun, 21 Jul 2019 21:18:23 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ get-azureaduser
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

Thanks in advance!

5 REPLIES 5
Microsoft

Re: Connect-AzureAD to Other Tenants with Secure Application Model

@ashin it possible, however, you need to be sure your Azure AD application is setup correctly. When up setup everything did you follow the guidance available here


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Connect-AzureAD to Other Tenants with Secure Application Model

Hi @idwilliams 

I am having the same problem. I believe my App is set up correctly (is there a way to confirm?) I followed: https://github.com/microsoft/Partner-Center-PowerShell#Native-App

 

I am able to use it with AppPlusUser rights to connect to the Partner Center and access Subscription and Licensing info.

 

I can also use it with the older ver 1 Msol/MS Online cmdlets to access Other Tenants, more or less as per:

https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-1.5

 

After getting the RefreshToken, AppId, AppSecret, then New-PartnerAccessToken and Connect-PartnerCenter. I get the aadGraph and graph tokens. I can then use Connect-MsolService to connect to my tenancy, then Get-MsolPartnerContract to get a list of my Client/Customers, and use commands such as Get-MsolUser -TenantId <someClientTenantId> -- that works.

 

But if I use Connect-AzureAD instead, that will connect to MY Tenancy, and I can use Get-AzureAdContract to see my Clients/Customers. BUT... I can't work out how to use Connect-AzureAD again to connect to the CLIENT tenancy, whatever I do may work, but then Get-AzureAdUser returns as above: 

Get-AzureADUser : Error occurred while executing GetUsers
Code: Request_BadRequest
Message: Invalid domain name in the request url.

 

How can we use the new MFA-enabled Secure Application Model to connect to our client/customer AzureAD Tenancies and use the AzureAD cmdlets? (not the older, deprecated Msol ones). 

 

Do you have an example of this working? Thanks so much,

   -Saul

Level 2 Contributor

Re: Connect-AzureAD to Other Tenants with Secure Application Model

Has anyone worked this out with the AzureAD module / Delegated Admin / Secure App Module / MFA?

 

I just updated to the latest versions of AzureAD and PartnerCenter modules and the same problem: I can connect to PartnerCenter, get an AccessToken from a RefreshToken and connect to OUR (partner) AzureAD, then get a list of all our CLIENTS (using Get-AzureADContract) but I CANNOT connect to the client's AzureAD. No matter what I try for the Connect-AzureAD I can't connect to their tenant. I get the Request_BadRequest for any other AzureAD cmdlets.

 

Using older MsOnline module works (Get-MsolUser).

 

@daokeefe This is the issue I mentioned in the other thread. So when MS fixes the Exch Online PowerShell module to support the Secure App Model I hope they also fix this as I've already migrated all my scripts using Delegated Admin from Msol to AzureAD!

 

Thanks,

   --Saul

 

 

Highlighted
Microsoft

Re: Connect-AzureAD to Other Tenants with Secure Application Model

@ashin and @sansbacher when you connect using the Azure AD PowerShell module you will need to specify the tenant where you to connect. The following code snippet should help.

 

$credential = Get-Credential
$refreshToken = 'Your-Refresh-Token-Value'

$aadGraphToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.windows.net -Credential $credential -TenantId 'xxxx-xxxx-xxxx-xxxx'
$graphToken =  New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://graph.microsoft.com -Credential $credential -TenantId 'xxxx-xxxx-xxxx-xxxx'

Connect-AzureAD -AadAccessToken $aadGraphToken.AccessToken -AccountId 'user@contoso.com' -MsAccessToken $graphToken.AccessToken -TenantId 'xxxx-xxxx-xxxx-xxxx'

Note that xxxx-xxxx-xxxx-xxxx should be the customer identifier where you want to connect.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Connect-AzureAD to Other Tenants with Secure Application Model

Thanks @idwilliams , unfortunately I still cannot connect with AzureAD using this method - unless I'm missing something (or you're missing the Connect-PartnerCenter step). 

 

When I try your method and then call Get-AzureADUser I get:

Get-AzureADUser : Error occurred while executing GetUsers
Code: Authorization_IdentityNotFound
Message: The identity of the calling application could not be established.

 

I did what you suggested: 

Get-Credential # for this I used the NativeApp ID and the SharedSecret (which normally allows AppPlusUser access when it works)

$refreshToken   # I used a known working Refresh_Token

-TenantId    # for all 3 I used a confirmed Tenant / Microsoft ID of a client in our CSP Partner Center

-AccountId   # for this I used the username@domain.com in OUR tenant that has Account Admin permissions in the Partner Center that I used for the consent process.

[Is all that correct?]

 

And it didn't work. I also tried calling Connect-PartnerCenter but I get "Unauthorized access".

 

What I want to do: connect to the Partner Center, get a list of all Contracts/Clients and then connect to THEIR tenants (using Delegated Admin) to do stuff for each client. 

 

This works if I use commands similar to what you provided, but the -TenatID must be MY (partner) tenantID, and then use Connect-MsolService (with the aadGraph and MsGraph Tokens). I can then use Get-MsolUser -all -TenantId 'tenant-id-of-CLIENT-account'. 

 

But trying to do something similar with the AzureAD module doesn't work.  (but it does work if NOT using the Secure App Model, if I just use regular Delegated Admin).

 

Do you have any further suggestions? Thanks so much!