Secure Application Model

VestonPance · ‎09-17-2019

Has anyone been able to get delegated access to a customer tenant using Secure Application Model and the AzurerRm module?

The process of requesting tokens and using them to authenticate via connect-azurermaccount all seem to work fine, but on issuing a command post-login, e.g. get-azurermresourcegroup, I get the error

"Your access token has expired. Please renew it before submitting the request."

Running the same process but using Connect-AzAccount instead of Connect-AzureRmAccount appears to work as expected.

Is it just me? Or has anyone else seen the same?

The examples in https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5 suggest that both modules should work.

VestonPance · ‎10-10-2019

I'm looking to move to using AZ but I'm sure you can appreciate that there's a lot of testing required to migrate, whereas a quick win is to be able to continue to use AzureRM, if only in the short-term.

I have been able to successfully use Connect-AzureRMAccount with tokens with a combination of these modules:

AzureRm 6.13.1

AzureRm.Profile 5.8.3

PartnerCenter 2.0.1909.5

$azureToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $customerTenantId
$graphToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $customerTenantId
Connect-AzureRmAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -AccountId veston.pance@csptenant.onmicrosoft.com -TenantId $customerTenantId

View solution in original post

JanoschUlmer · ‎10-04-2019

I can confirm I have seen this for mutliple Partners right now - without having found a solution yet. Generally it seems to be a bug, and support could be the right resource to help - If there is a chance to switch to AZ module I would recommend to do this instead since it saves some effort to go through troubleshooting with support.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)

VestonPance · ‎10-10-2019

I'm looking to move to using AZ but I'm sure you can appreciate that there's a lot of testing required to migrate, whereas a quick win is to be able to continue to use AzureRM, if only in the short-term.

I have been able to successfully use Connect-AzureRMAccount with tokens with a combination of these modules:

AzureRm 6.13.1

AzureRm.Profile 5.8.3

PartnerCenter 2.0.1909.5

$azureToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $customerTenantId
$graphToken = New-PartnerAccessToken -ApplicationId $appId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $customerTenantId
Connect-AzureRmAccount -AccessToken $azureToken.AccessToken -GraphAccessToken $graphToken.AccessToken -AccountId veston.pance@csptenant.onmicrosoft.com -TenantId $customerTenantId

JFurnari · ‎05-01-2020

I am running into an issue when trying to get an azure token:

$azureToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $token.RefreshToken -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $customer.CustomerContextId
New-PartnerAccessToken : AADSTS65001: The user or administrator has not consented to use the application with ID 'bb996cab-4c53-49e1-acbb-611866bac9d7' named 'WorkingApp'. Send an interactive authorization request for this user and resource.
Trace ID: 186e91e2-ca22-4aa2-a2bd-d7c1bf5dbd00
Correlation ID: 346c93c2-5a2a-45e0-961f-df14c5968b22
Timestamp: 2020-05-01 18:26:51Z
At line:1 char:15
+ ... zureToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Cre ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-PartnerAccessToken], MsalUiRequiredException
    + FullyQualifiedErrorId : Microsoft.Store.PartnerCenter.PowerShell.Commands.NewPartnerAccessToken

When i try to do the interactive login It doesn't work either:

New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -Scopes 'https://management.azure.com/user_impersonation' -ServicePrincipal -Tenant $customer.CustomerContextId -UseAuthorizationCode
WARNING: Attempting to launch a browser for authorization code login.
WARNING: We have launched a browser for you to login. For the old experience with device code flow, please run 'New-PartnerAccessToken -UseDeviceAuthentication'.

But in the browser it posts:

Need pre-consent

WorkingApp

Placeholder text that is of similar expected length as what we will likely receive from the PMs. Fill this in once the new string is available for use.

olavrb · ‎05-07-2020

I'm also facing this issue now, trying to get a AAD refresh token into a customer tenant.

I thought the error was due to the app not being pre-consented, by that I thought it meant adding the service principal of the app in question into the "AdminAgents" AAD group on partner tenant. But my app is already in that group. So don't know whats wrong right now.

Edit: Solved my problem by adding MS graph permission to the app in question, "Directory.AccessAsUser.All".

dmcloughlin · ‎06-11-2020

I'm facing this same issue now, be it through the browser or via PowerShell.

Please can someone share exactly how they got this working? How was the AAD app configured, which PowerShell commands were used and with what versions?

It would be really, really appreciated. If I had hair I'd be pulling it out over this one!

Thanks.

JeremyTBradshaw · ‎07-02-2020

#Updated reply

@olavrb thanks very much. I also got my issue resolved by granting the Microsoft Graph delegated API permission 'Directory.AccessAsUser.All'. The same permission was granted by the script from the docs article, but only for the 'Azure Active Directory Graph (3)' API. I'm going to open a GitHub issue on that docs page.

The one I mean is the Partner Center PowerShell v1.5 version of the Secure App Model docs page:

https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5#azure-ad-application

sansbacher · ‎10-03-2019

I've not tried AzureRm specifically - you should switch to the Az module anyway.

But the message implies the AccessToken has expired.

AccessTokens are only good for 60 mins after being issued. RefreshTokens are good for 90 days after being issued. You use a RefreshToken to request an AccessToken - which you can use for 1 hour before you need to request another one. Note: When you request an AccessToken you also get back a new RefreshToken, if you request an AccessToken every 30 days (even if you never use it) and store the new RefreshToken you can avoid having to go through the Consent process again (until your AzureAD App secret expires in 1 or 2 years).

But you should not be storing AccessTokens (except in a variable for use within a script executing at that time). Are you using a fresh AccessToken in your script? Is your script taking more than 60 mins to execute?

--Saul

Secure Application Model

Secure Application Model and AzureRM

Product and Services

Emerging Technologies

Developer & IT

Partner

Industries

Other