Secure Application Model

Glenndsq · ‎10-05-2022

I am trying to get a token for a partner set with GDAP so I can then use it with connect-MgGraph

The below works fine for DAP partners :

$ApplicationId = "My application id"
$ApplicationSecret = "My app secret"
$RefreshToken = "My refresh token"

$AuthBody = @{
client_id = $ApplicationId
client_secret = $ApplicationSecret
scope = 'https://graph.microsoft.com/.default'
refresh_token = $RefreshToken
grant_type = "refresh_token"

}

$tenantid = "Partner tenant id"

Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$($tenantid)/oauth2/v2.0/token" -Body $Authbody

However it returns

AADSTS65001: The user or administrator has not consented to use the application with ID '########-ffd6-48b7-aa6d-############' named 'AppName'. Send an interactive authorization request for this user and resource.

I am able to connect to exchange for GDAP partners but not Microsoft Graph. Particularly the MGGraph powershell module. It works fine with DAP.

Can anyone help?

Glenndsq · ‎10-07-2022

Thanks for any support anyone gives 🙂

v-jillarmour · ‎10-06-2022

I've been in contact with the internal team and they suggested submitting a support ticket for each instance as it sounds like a technical issue that requires some investigation from the technical team.

https://aka.ms/technicalservices.

If anyone gets a solution will they come back and let this string know? Thank you!

MatStretcher · ‎10-06-2022

We are observing the same problem since we've changed DAP to GDAP for some of our Customer-Tenants. However, calls concerning the PartnerCenterAPI can be successfully send and received. Otherwise all operations concerning the MS graph API are returned with the Error:

"AADSTS65001: The user or administrator has not consented to use the application with ID '########-######-###-####-############' named '<OurAppName>'. Send an interactive authorization request for this user and resource."

Any help would be appreciated.

sansbacher · ‎11-16-2022

@MatStretcher and @Glenndsq ,

Just wanted to reply because this thread was one of the few hits I had for GDAP and your error, AADSTS65001. I believe the problem is that Microsoft changed the GDAP delegated permissions model between late August 2022 (when I initially tested DAP -> GDAP and it all worked) and early October when you two, and @ClaudioStallone encountered this error.

SOLUTION:

In another thread in this Partner Center forum @JanoschUlmer posted a solution that @ClaudioStallone confirmed. I just tested it and it works, including for Connect-MgGraph, you can see my reply here, which in the same thread, including a confirmation from Kelvin.

https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/MS-Graph-and-Partner-GDAP-access-customer-tenant-via-graph/m-p/80631/highlight/true#M364

It shows how you will need to add a Consent for your Secure App Model in the Customer's tenancy. I also found that Exch Online works, but for Azure AD, Graph, and Azure the steps in the post (originally from Janosch) are required.

I hope that helps!

--Saul

v-jillarmour · ‎10-05-2022

@Glenndsq @ClaudioStallone I don't know anything about this, but I am inquiring within to see if I can find someone to help. I'll let you know if I find out anything! Sorry for your troubles here.

ClaudioStallone · ‎10-05-2022

Hello @v-jillarmour

Thank you very much, we also have create a MS Case for that TrackingID#2210040040003176

As it is very urgent for us, as our automations using Azure as well as MS Graph are no longer working for GDAP customers!

ClaudioStallone · ‎10-05-2022

We have the same issue since this week!

Secure Application Model

Connect-MgGraph secure application model and GDAP

Product and Services

Emerging Technologies

Developer & IT

Partner

Industries

Other