Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 2 Contributor

Secure Application Model and MsOnline - Can't get it to work

I'm trying to use Secure Application Model with MsOnline, I've got it working for creating access tokens for Arm, Aad and MsGraph API, with those connect with Az.Accounts module and AzureAD module, but can't get MsOnline working.

 

  • The app I created have these permissions:
    olavrb_0-1593159663087.png
  • The app registration is member of the "AdminAgents" AAD group on partner tenant.
  • I'm conscenting with a global admin in the partner tenant that also have admin access to all customer tenants.

 

I'm trying to connect as such:

 

 

#Requires -Modules Az.Accounts,AzureAD,MsOnline,PartnerCenter


# Assets
## Both scenarios
$TenantId        = [string](Read-Host -Prompt 'TenantId')
$AppRegistration = [PSCredential](Get-Credential)
## Already have RefreshToken
$RefreshToken    = [string](Read-Host -Prompt 'RefreshToken')
## Don't already have Refresh Token - Create partner access token
$PartnerTenantId = [string](Read-Host -Prompt 'Partner TenantId')
$PartnerToken = New-PartnerAccessToken -Tenant $PartnerTenantId -ApplicationId $AppRegistration.'UserName' -Credential $AppRegistration -ServicePrincipal -UseAuthorizationCode -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation'
$RefreshToken = $PartnerToken.'RefreshToken'


# Get access token
$null = $(
    [hashtable]@{
        'AadToken' = 'https://graph.windows.net/.default'
        'ArmToken' = 'https://management.azure.com/.default'
        'MsgToken' = 'https://graph.microsoft.com/.default'
    }
).GetEnumerator().ForEach{
    $null = Set-Variable -Force -Name $_.'Name' -Value (
        New-PartnerAccessToken -Scopes $_.'Value' -Tenant $TenantId -ApplicationId $AppRegistration.'UserName' -Credential $AppRegistration -RefreshToken $RefreshToken -ServicePrincipal
    )
}


# Connect
$null      = Connect-AzureAD -TenantId $TenantId -AccountId $AadToken.'Account'.'Username' -AadAccessToken $AadToken.'AccessToken' -MsAccessToken $MsgToken.'AccessToken'
$AzContext = Connect-AzAccount -Tenant $TenantId -AccountId $AadToken.'Account'.'Username' -AccessToken $ArmToken.'AccessToken' -GraphAccessToken $AadToken.'AccessToken'
$null      = Connect-MsolService -AdGraphAccessToken $AadToken.'AccessToken' -MsGraphAccessToken $MsgToken.'AccessToken' -AzureEnvironment 'AzureCloud'

 

 

 

Problem:

  • If I put the partner tenant as the $TenantId, MsOnline connects successfully.
  • If I put a CSP customer tenant as the $TenantId, MsOnline does not connect successfully.

 

 

Connect-MsolService : An unexpected error occurred.
At line:1 char:14
+ ... null      = Connect-MsolService -AdGraphAccessToken $AadToken.'Access ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidHeaderException,Microsoft.Online.Administration.Automation.ConnectMsolService
 
Connect-MsolService : Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown.
At line:1 char:14
+ ... null      = Connect-MsolService -AdGraphAccessToken $AadToken.'Access ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.MicrosoftOnlineException,Microsoft.Online.Administration.Automation.ConnectMsolService

 

 

 

Resources:

1 ACCEPTED SOLUTION
Level 2 Contributor

I figured it out myself. Think I've found this out earlier as well, but I forgot how MsOnline works: You just log in with a user/ app that has AOBO permissions into other tenants, then you run commands, like Get-MsolUser and spcify what tenant ID to run it against. Case closed.

 

@Lewis-H 

Thats not helping. Besides, I'm doing this to create automation with no user input, so cannot use a script made for interaction, which it looks like you are referring to.

View solution in original post

2 REPLIES 2
Level 4 Contributor

Usage is very simple. Just start the script with the following arguments.

-tenantDomain azurescene.onmicrosoft.com
-vaultName theNameOfYourKeyVault
-AzureADCon $true (connect with AzureAD?)
-AzCon $true (connect with Az?)
-MSolCon $true (connect to MS Online?)
-ExchangeCon $true (connect to Exchange Online?)

[cmdletbinding()]
param (
[Parameter(
Mandatory = $true,
HelpMessage="customer.onmicrosoft.com",
Position=1
)][string] $TenantDomain,
[Parameter(
Mandatory = $true,
HelpMessage="Name of the Azure Key Vault",
Position=2
)][string] $vaultName,
[Parameter(
Mandatory = $false,
HelpMessage="Connect to AzureAD?",
Position=3
)][bool] $AzureADCon = $false,
[Parameter(
Mandatory = $false,
HelpMessage="Connect to Az?",
Position=4
)][bool] $AzCon = $false,
[Parameter(
Mandatory = $false,
HelpMessage="Connect to MS online?",
Position=5
)][bool] $MSolCon = $false,
[Parameter(
Mandatory = $false,
HelpMessage="Connect to Exchange Online?",
Position=6
)][bool] $ExchangeCon = $false
)

Level 2 Contributor

I figured it out myself. Think I've found this out earlier as well, but I forgot how MsOnline works: You just log in with a user/ app that has AOBO permissions into other tenants, then you run commands, like Get-MsolUser and spcify what tenant ID to run it against. Case closed.

 

@Lewis-H 

Thats not helping. Besides, I'm doing this to create automation with no user input, so cannot use a script made for interaction, which it looks like you are referring to.

View solution in original post