Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Take the survey
Reply
Glenndsq
Level 3 Contributor
‎10-03-2022 10:35 AM
Level 3 Contributor
‎10-03-2022 10:35 AM

GDAP and Powershell modules

Is it possible to connect to Powershell modules such as MgGraph or exchange online for partner tenants using GDAP as it is with standard DAP?

Or is GDAP limited to api calls only?

Seems like quite a step backwards if you can't use powershell modules with GDAP permissions.

1 Me too
0 Kudos
1 ACCEPTED SOLUTION
JanoschUlmer
Microsoft
‎10-04-2022 04:27 AM
Microsoft
In response to Glenndsq
‎10-04-2022 04:27 AM

@Glenndsq : With GDAP, you define & create the security groups in your tenant that are used to map GDAP permissions customers have granted you.

 

What this means for your service principal depends on how you plan to set this up - e.g. you could use one security group where permissions are mapped for every customer and make the service principal member of that. There could also be multiple security groups, e.g. a distinct one for each customer, consequently you would need to make the service principal member of each of them.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)

View solution in original post

8 REPLIES 8
JanoschUlmer
Microsoft
‎10-11-2022 12:50 AM
Microsoft
‎10-11-2022 12:50 AM

@Glenndsq Received a few other reports and can reproduce myself that since last week there seems to be a more widespread issue - secure app model works for connecting to Partner Center, but fails for connecting to any end customer. You can raise a support ticket vias Partner Center, and/or you can contact my team (https://aka.ms/technicalservices)  to first have a discussion if your approach is correct and if there are more recommendations.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
JanoschUlmer
Microsoft
‎10-04-2022 03:47 AM
Microsoft
‎10-04-2022 03:47 AM

@Glenndsq : Can confirm it works the same using GDAP. When you look at the Secure App Model documentation, for GDAP there are some changes:

 - Service Principal needs to be added in the security group that get customer permissions mapped and in the AdminAgents security group (instead of only being in AdminAgents as with DAP)

 - Same applies to the user account used for the interactive consent/token creation, this also needs to be member in the respective security groups used for GDAP - and in AdminAgent security group.

If your PowerShell scripts don't need access to any Partner Center operations, you would not need to put them in the AdminAgents group though, but only in GDAP-enabled security groups - though this might be a rare scenario, even for just querying customer list you need to be in the Agents-groups.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
Glenndsq
Level 3 Contributor
‎10-04-2022 04:18 AM
Level 3 Contributor
In response to JanoschUlmer
‎10-04-2022 04:18 AM

Thats great thanks.  What are the security group names that need the extra additions?

0 Kudos
JanoschUlmer
Microsoft
‎10-04-2022 04:27 AM
Microsoft
In response to Glenndsq
‎10-04-2022 04:27 AM

@Glenndsq : With GDAP, you define & create the security groups in your tenant that are used to map GDAP permissions customers have granted you.

 

What this means for your service principal depends on how you plan to set this up - e.g. you could use one security group where permissions are mapped for every customer and make the service principal member of that. There could also be multiple security groups, e.g. a distinct one for each customer, consequently you would need to make the service principal member of each of them.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Glenndsq
Level 3 Contributor
‎10-04-2022 08:39 AM
Level 3 Contributor
In response to JanoschUlmer
‎10-04-2022 08:39 AM

GOt it working at last.  Thanks for all the help.  Had to change a few permissions on the groups.

Superb 🙂

0 Kudos
Glenndsq
Level 3 Contributor
‎10-04-2022 01:10 PM
Level 3 Contributor
In response to Glenndsq
‎10-04-2022 01:10 PM

Spoke too soon.  Not working 😞

0 Kudos
Glenndsq
Level 3 Contributor
‎10-04-2022 08:03 AM
Level 3 Contributor
In response to JanoschUlmer
‎10-04-2022 08:03 AM

Thanks very much for your help.  I did exactly as described but nothing changed in terms of functionality.  Still doesn't work.

I dont think the secure application model wants to play nice for me.

Oh well.

0 Kudos
NickatTheta
Level 7 Contributor
‎10-03-2022 07:26 PM
Level 7 Contributor
‎10-03-2022 07:26 PM

GDAP is supposed to be on parity with DAP.

In theory, what was possible regards partner access in DAP should still function via GDAP.

Powershell is not something I have tested though.

 

A good place to raise and discuss these is the GDAP CSP Security Q&A sessions that partners may join.

GranularDelegatedAdminPrivilegesinCSPQASession Listing Page (eventbuilder.com)

Follow Us
    Share