Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Leon-anspired
Level 2 Contributor

MS Graph and Partner GDAP - access customer tenant via graph

I am trying to get some scripting ready for Granular Delegated Admin permissions that we are all forced to change to this year from DAP and really struggling to work out how to get this working to access customer tenants.

I have created an app in our CSP tenant with relevant permissions. Has relevant graph permissions (like directory.read.all) and partner center user impersonation.

Global admin has granted consent.

I can generate access tokens and connect to the graph for our own tenant. Along with querying contracts etc to get a list of all our customer tenants etc. However it seems impossible to connect to a customer MSGraph when using GDAP.

For a tenant that is still on DAP, I can use

https://login.microsoftonline.com/<customer tenant ID>/oauth2/v2.0/token

To get an access token and then the graph will respond their tenant.

But if I do the same for a tenant that has GDAP, I get:

"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"date": "2022-05-30T11:24:11",
"request-id": "aa4d75a5-03ed-4f5a-811d-e09e63e346ed",
"client-request-id": "aa4d75a5-03ed-4f5a-811d-e09e63e346ed"
}

 

The Azuread App service principal is in the group which has been given access to the tenant.
User management role so can access the msgraph to get a list of users. But just get the above error.

Struggling to find anything online and not sure where to go from here.

Hope someone has some insight into how to make this work.

15 REPLIES 15
JanoschUlmer
Microsoft

Btw - if you have questions and need help with the GDAP API or Secure App Model with GDAP, feel free to raise an advisory ticket in our team https://aka.ms/technicalservices

If you have ASfP or PSfP support plan, you can also request a cloud consult is opened on those topics. 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
KoenHalfwerk
Level 1 Contributor
Leon-anspired
Level 2 Contributor

Yes thats how you setup the GDAP relationship.

 

That GUID you are looking at, I believe its the GUID of the specific GDAP relationship you are creating.

As you can add multiple GDAP relationships with different requested permissions, its the GUID for the specific one.

Hope that helps you

 

 

BTW, worked out my issue, with GDAP it only works with delegated permissions and not application permissions. So you must add the api permissions as delegated and you have to get a refresh token to access customer tenants.

Glenndsq
Level 3 Contributor

Any chance you could elaborate on this a little.

"BTW, worked out my issue, with GDAP it only works with delegated permissions and not application permissions. So you must add the api permissions as delegated and you have to get a refresh token to access customer tenants."

 

Trying to connect to graph and keep getting :

 

The user or administrator has not consented to use the application with ID '#######-####-####-####-#######0' named 'TestApp'. Send an interactive authorization request for this user and resource.

 

Leon-anspired
Level 2 Contributor

Yea sure.

So you have to use the authorization code flow > to getting a refresh token and use that for everything. You cannot use application credentials for it.

 

Whatever user you grant permissions with, that user needs to be in the relevant GDAP permissions for the customer tenant (not the app or service principle, only the user used to grant with)

 

First part is getting and storing your refresh token,  from there you can get access tokens and customer access tokens freely.

This is on the common endpoint - https://login.microsoftonline.com/common/oauth2/v2.0/token

1. Auth your app with the code flow grant so you get the auth code back

2. Use the authorization code to get an access token (and refresh token if you use offline_access)

3. use the refresh token to get future access tokens for use.

 

Now, when you are doing something against partner center you just use the common endpoint - https://login.microsoftonline.com/common/oauth2/v2.0/token

 

When you want to do something against azure or similar, you will request an access token from the end customer tenant endpoint 

 

https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token

 

And this access token will be related to the customer tenant.
i.e. if you do that with a scope of https://graph.microsoft.com/.default - you can then call MSGraph api's for that customer tenant.

 

Hope that gives you enough info

Thanks for your advice on this vexing issue.

 
We have setup a GDAP relationship with this tenant giving permission to the AdminAgents group in the Partner Portal for this tenant.  I used my partner account AAD user to create the initial auth request using
 
 
The issued auth code was then used to create a refresh token using the the common endpoint.
 
We can use the refresh token to obtain an access token in our partner tenant.  When attempting to obtain an access token in a GDAP enabled customer tenant we receive:
AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' named 'Partner Center Application'. Send an interactive authorization request for this user and resource.
 
Do you have any suggestions on where we may be going astray?
Leon-anspired
Level 2 Contributor

The user that you authed it with must be in the group that has GDAP access to the customer, or it wont work.

and are you need to be getting the access token against the customer tenant and then using it.

Must be using the grant_type = refresh_token

so would have client id/secret/scope/grant_type/refresh_token

 

i.e. use your refreshtoken and use the msgraph scope

https://login.microsoftonline.com/<customertenantid>/oauth2/v2.0/token

 

That access token will then have access to the customer graph.

ClaudioStallone
Level 6 Contributor

Hello @Leon-anspired 

 

did you have any example that you can share with us? 

With this we get an error only with GDAP customers:

$tenantId="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"

$authBody=@{
client_id="xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"
client_secret="XXXXX" 
scope="https://graph.microsoft.com/.default"
grant_type="refresh_token"
refresh_token="XXXXXXX"
}

$uri="https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$accessToken = Invoke-WebRequest -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $authBody -Method Post

 

ClaudioStallone_0-1665040785366.png

 

Leon-anspired
Level 2 Contributor

Your call looks correct. What permissions do you have in your app? Application permissions do not work with GDAP, the permissions must be delegated permissions. I.e. global reader (delegated).

 

I suspect this may be your problem. 

If it is, add the delegated permission and redo the auth grant and try it again.

ClaudioStallone
Level 6 Contributor

Here is the overview of the permissions, we have already set the delegated permissions:

ClaudioStallone_0-1665042007006.png

ClaudioStallone_1-1665042058886.png

 

 

Leon-anspired
Level 2 Contributor

And whatever username you granted the access with, they are added to the GDAP permissions? That account needs to be added to the GDAP of the customer tenant.

ClaudioStallone
Level 6 Contributor

Yes User Account and Service Principal of the azure app have been added to GDAP permissions via the security group

Glenndsq
Level 3 Contributor

Thank you so much for this.

Not too sure about the authorisation code flow bit. 

How do I do this "Auth your app with the code flow grant so you get the auth code back"

 

I thought I had done this but it doesn't work so I must be missing something. 😞

Thanks in advance for any response.

Leon-anspired
Level 2 Contributor

KoenHalfwerk
Level 1 Contributor

Ah, its a GDAP specific relationship guid, I was hoping a customer specific role ID (so not the template ID).

 

I'll have to figure out the GDAP api 

That way I could at least automate part of the process, we'd need 8 roles for 180 customers :`(.

I'll just have to dig deeper to find the API documentation, as the Powershell module won't be updated for GDAP