I'm trying to use Secure Application Model with MsOnline, I've got it working for creating access tokens for Arm, Aad and MsGraph API, with those connect with Az.Accounts module and AzureAD module, but can't get MsOnline working.
- The app I created have these permissions:
- The app registration is member of the "AdminAgents" AAD group on partner tenant.
- I'm conscenting with a global admin in the partner tenant that also have admin access to all customer tenants.
I'm trying to connect as such:
#Requires -Modules Az.Accounts,AzureAD,MsOnline,PartnerCenter
# Assets
## Both scenarios
$TenantId = [string](Read-Host -Prompt 'TenantId')
$AppRegistration = [PSCredential](Get-Credential)
## Already have RefreshToken
$RefreshToken = [string](Read-Host -Prompt 'RefreshToken')
## Don't already have Refresh Token - Create partner access token
$PartnerTenantId = [string](Read-Host -Prompt 'Partner TenantId')
$PartnerToken = New-PartnerAccessToken -Tenant $PartnerTenantId -ApplicationId $AppRegistration.'UserName' -Credential $AppRegistration -ServicePrincipal -UseAuthorizationCode -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation'
$RefreshToken = $PartnerToken.'RefreshToken'
# Get access token
$null = $(
[hashtable]@{
'AadToken' = 'https://graph.windows.net/.default'
'ArmToken' = 'https://management.azure.com/.default'
'MsgToken' = 'https://graph.microsoft.com/.default'
}
).GetEnumerator().ForEach{
$null = Set-Variable -Force -Name $_.'Name' -Value (
New-PartnerAccessToken -Scopes $_.'Value' -Tenant $TenantId -ApplicationId $AppRegistration.'UserName' -Credential $AppRegistration -RefreshToken $RefreshToken -ServicePrincipal
)
}
# Connect
$null = Connect-AzureAD -TenantId $TenantId -AccountId $AadToken.'Account'.'Username' -AadAccessToken $AadToken.'AccessToken' -MsAccessToken $MsgToken.'AccessToken'
$AzContext = Connect-AzAccount -Tenant $TenantId -AccountId $AadToken.'Account'.'Username' -AccessToken $ArmToken.'AccessToken' -GraphAccessToken $AadToken.'AccessToken'
$null = Connect-MsolService -AdGraphAccessToken $AadToken.'AccessToken' -MsGraphAccessToken $MsgToken.'AccessToken' -AzureEnvironment 'AzureCloud'
Problem:
- If I put the partner tenant as the $TenantId, MsOnline connects successfully.
- If I put a CSP customer tenant as the $TenantId, MsOnline does not connect successfully.
Connect-MsolService : An unexpected error occurred.
At line:1 char:14
+ ... null = Connect-MsolService -AdGraphAccessToken $AadToken.'Access ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidHeaderException,Microsoft.Online.Administration.Automation.ConnectMsolService
Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.
At line:1 char:14
+ ... null = Connect-MsolService -AdGraphAccessToken $AadToken.'Access ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.MicrosoftOnlineException,Microsoft.Online.Administration.Automation.ConnectMsolService
Resources:
- "Exchange Online and the Secure App Model"
https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Exchange-Online-and-the-Secure-App-Model/td-p/11771 - "Secure Application Model and AzureRM"
https://www.microsoftpartnercommunity.com/t5/Secure-Application-Model/Secure-Application-Model-and-AzureRM/m-p/13445 - https://www.cyberdrain.com/connect-to-exchange-online-automated-when-mfa-is-enabled-using-the-secureapp-model/
1 ACCEPTED SOLUTION
