Forum Discussion

Arnaud_K's avatar
Arnaud_K
Copper Contributor
Dec 08, 2023

No more Graph API rights for new customers tenants with GDAP

Hi,   We use a powershell script with the Graph module to administer the users of our M365 clients who each have a dedicated tenant with a GDAP. We use App authentication which has all the neces...
GDAP
M365
sansbacher's avatar
sansbacher
Copper Contributor
Dec 11, 2023

JillArmourMicrosoft and @Arnaud_K,

 

You usually need AppPlusUser authentication to leverage Delegated rights for your customers. In your screenshot the new tenant appears to be missing the Scopes. Did you provision your AzureAD/Entra Enterprise App in your tenant? Did you add the Consent in the Customer's tenant (It'll be under their AAD, under Enterprise Applications, set Application Type = "All Applications" (or clear the filter) to view)

 

I don't know why it would work for existing but not new tenants (as DAP should have been removed a while ago). I would step through the process of creating your App and adding the Consents to the new Tenants and see if a step was missed.

 

There's a bunch of info/links in this post:

https://techcommunity.microsoft.com/t5/partner-led-tech-topics/configuring-the-secure-app-model-for-powershell-api-graph/m-p/3820555/highlight/true#M1

 

The bulk of the (current) info is Nick's post:

https://tminus365.com/my-automations-break-with-gdap-the-fix/

 

If you have deployed the App/Consents to the customers and now need to update he has a follow-up post on updating them:

https://tminus365.com/gdap-multi-tenant-automation/

 

The principles are the same for using the Graph API and the Graph PowerShell SDK. You should be able to connect to your Customers with Get-MgUser just fine using Refresh and Access Tokens.

 

    --Saul

Resources