MS Graph and Partner GDAP - access customer tenant via graph
I am trying to get some scripting ready for Granular Delegated Admin permissions that we are all forced to change to this year from DAP and really struggling to work out how to get this working to access customer tenants.
I have created an app in our CSP tenant with relevant permissions. Has relevant graph permissions (like directory.read.all) and partner center user impersonation.
Global admin has granted consent.
I can generate access tokens and connect to the graph for our own tenant. Along with querying contracts etc to get a list of all our customer tenants etc. However it seems impossible to connect to a customer MSGraph when using GDAP.
For a tenant that is still on DAP, I can use
https://login.microsoftonline.com/<customer tenant ID>/oauth2/v2.0/token
To get an access token and then the graph will respond their tenant.
But if I do the same for a tenant that has GDAP, I get:
"message": "The identity of the calling application could not be established.",
The Azuread App service principal is in the group which has been given access to the tenant.
User management role so can access the msgraph to get a list of users. But just get the above error.
Struggling to find anything online and not sure where to go from here.
Hope someone has some insight into how to make this work.
Btw - if you have questions and need help with the GDAP API or Secure App Model with GDAP, feel free to raise an advisory ticket in our team https://aka.ms/technicalservices.
If you have ASfP or PSfP support plan, you can also request a cloud consult is opened on those topics.
Receive consultations via Technical Presales and Deployment Services team
Have you created a new admin consent?
Im trying to figure out what the first guid is in the url
Yes thats how you setup the GDAP relationship.
That GUID you are looking at, I believe its the GUID of the specific GDAP relationship you are creating.
As you can add multiple GDAP relationships with different requested permissions, its the GUID for the specific one.
Hope that helps you
BTW, worked out my issue, with GDAP it only works with delegated permissions and not application permissions. So you must add the api permissions as delegated and you have to get a refresh token to access customer tenants.
Any chance you could elaborate on this a little.
"BTW, worked out my issue, with GDAP it only works with delegated permissions and not application permissions. So you must add the api permissions as delegated and you have to get a refresh token to access customer tenants."
Trying to connect to graph and keep getting :
The user or administrator has not consented to use the application with ID '#######-####-####-####-#######0' named 'TestApp'. Send an interactive authorization request for this user and resource.
So you have to use the authorization code flow > to getting a refresh token and use that for everything. You cannot use application credentials for it.
Whatever user you grant permissions with, that user needs to be in the relevant GDAP permissions for the customer tenant (not the app or service principle, only the user used to grant with)
First part is getting and storing your refresh token, from there you can get access tokens and customer access tokens freely.
This is on the common endpoint - https://login.microsoftonline.com/common/oauth2/v2.0/token
1. Auth your app with the code flow grant so you get the auth code back
2. Use the authorization code to get an access token (and refresh token if you use offline_access)
3. use the refresh token to get future access tokens for use.
Now, when you are doing something against partner center you just use the common endpoint - https://login.microsoftonline.com/common/oauth2/v2.0/token
When you want to do something against azure or similar, you will request an access token from the end customer tenant endpoint
And this access token will be related to the customer tenant.
i.e. if you do that with a scope of https://graph.microsoft.com/.default - you can then call MSGraph api's for that customer tenant.
Hope that gives you enough info
Thanks for your advice on this vexing issue.
The user that you authed it with must be in the group that has GDAP access to the customer, or it wont work.
and are you need to be getting the access token against the customer tenant and then using it.
Must be using the grant_type = refresh_token
so would have client id/secret/scope/grant_type/refresh_token
i.e. use your refreshtoken and use the msgraph scope
That access token will then have access to the customer graph.
did you have any example that you can share with us?
With this we get an error only with GDAP customers:
$accessToken = Invoke-WebRequest -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $authBody -Method Post
Your call looks correct. What permissions do you have in your app? Application permissions do not work with GDAP, the permissions must be delegated permissions. I.e. global reader (delegated).
I suspect this may be your problem.
If it is, add the delegated permission and redo the auth grant and try it again.
Thank you so much for this.
Not too sure about the authorisation code flow bit.
How do I do this "Auth your app with the code flow grant so you get the auth code back"
I thought I had done this but it doesn't work so I must be missing something. 😞
Thanks in advance for any response.
It's the standard flow you need to do to use the app.
That should give you all the info
Ah, its a GDAP specific relationship guid, I was hoping a customer specific role ID (so not the template ID).
I'll have to figure out the GDAP api
That way I could at least automate part of the process, we'd need 8 roles for 180 customers :`(. I'll just have to dig deeper to find the API documentation, as the Powershell module won't be updated for GDAP