Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Level 1 Contributor

Secure Application Model framework - Error The identity of the calling application could not be established



We are one of the CSP partners who are using app ID + user authentication and directly integrate with Partner Center APIs and Azure AD Microsoft Graph. We are trying to implement the Secure Application Model framework.


We have registered a new Azure AD application in the Azure portal and followed the steps in pdf (CSP Overview document) : csp-partner-application-overview. We have used the Java sample application (Sample Java Code) to provide the consent to the app which worked successfully as we were able to retrieve the refresh-token.

So, what we have achieved so far is:


  1. Refresh token was generated and stored in our key vault.
  2. We can generate access-token using the refresh token for the resource Azure AD Microsoft Graph i.e. https://graph.windows.net

But when we try to connect to any of the API using the access-token created in Step 2 e.g. Create a domain using https://graph.windows.net/{customer-tenant-id}/domains?api-version=1.6


"The identity of the calling application could not be established"


I'm not sure what I'm doing wrong as I have re-visited the permissions etc and it all looks good to me, we have also tried click on admin consent button on the bottom of app screen but no luck.


Can someone please advise as its a massive blocker for us to go live?


JP Singh


@jpsingh-arq there are two common reasons that cause this particular error. The first being the Azure AD application is not figured to be available to any organization. You can confirm the Azure AD application is configured correctly by checking the supported account type configuration found in the authentication section. The below figure shows what the configuration should look like.


Annotation 2019-07-30 083548.png


The second reason you might encounter this error is due to the Azure AD consent framework. Since you are a partner that is involved in the CSP program, you can take advantage of pre-consent. If you were a Control Panel Vendor (CPV), then you would have to create an application grant using the Partner Center API/SDK. More information regarding pre-consent can be found here. Please let us know if you have any concerns or questions. 

Level 1 Contributor

Thanks @idwilliams for your quick reply. Much Appreciated.


As you have suggested, I think the error is due to the Azure AD consent framework, I will try out the link you have provided.

BTW - I did try the Partner Consent from powershell as detailed here and it worked perfectly. I wonder why the sample Java application did not work. My understanding was the sample would do pre-consent.


Question: Can you please advise what's the difference between the consent(here) and pre-consent (here and here) it will be super helpful for us?



JP Singh


@jpsingh-arq the partner consent sample you referenced is used to consent to the application and generate the refresh token. The PowerShell documentation referenced covers the same topic. You will still need to use pre-consent or programatically create the application grant, so your application can access a customers environment. 


Cloud Solution Provider partners can leverage pre-consent so there applications do not require consent to be granted for each customer. This works because a relationship exists between the customer and partner that makes it where the partner can consent on behalf of the customer. Control Panel Vendors do not have this relationship, so an application grant will need to be created. An example of how this is done can be found here.


Overall my recommendation would be for both Cloud Solution Providers and Control Panel Vendors to create the application grants. That way you do not have to worry about configuring pre-consent or the potiental for issues if ever change permissions.