Forum Discussion

joakimidland's avatar
joakimidland
Copper Contributor
Jan 14, 2025

About Preconsented applications

Hello, 

I am trying to more effectively administrate our customers via Microsoft Graph API, and are trying to follow this guide: https://learn.microsoft.com/en-us/graph/auth-cloudsolutionprovider

This is where I don't get things working: 

Additionally, as a partner developer, you can build a partner-managed app to manage your customers' Microsoft services. Partner-managed apps are often called preconsented apps because all your customers are automatically preconsented for your partner-managed apps. This means when a user from one of your customer tenants uses one of your partner-managed apps, the user can use it without being prompted to give consent. Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.


I have attempted to use Microsoft Graph via Powershell, HTTP, both delegated and user-methods, nothing seems to be working. If trying Connect-Mggraph -ClientId "***partnermultitenantappid***" -TenantId "****customertenantid****", I get this error:

AADSTS90099: The application '****' (*****) has not been authorized in the tenant '*****'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.

This gets solved if I log in to the tenant directly and add the application as per normal. But that eliminates the whole point about something being pre-consented.

I have followed all the steps and I have added the application as a serviceprincipal for the AdminAgents group, which I have confirmed is also assigned to the PartnerRelationship with all permissions. The Partner relationship has all rights minus Global Administrator as part of the steps of troubleshooting the issues ive encountered thus far.

 

What am I missing? Again reading from the article: Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.

 

Final question: Is it only possible to authenticate to customer tenants with delegated authentication, or is it possible with even application authentication as well?

GDAP
Partner Center Security
Secure App Model
tech question or issue

4 Replies

  • sansbacher's avatar
    sansbacher
    Brass Contributor
    Mar 19, 2025

    Hi joakimidland I was just going though old emails and noticed Jill had tagged me on this. Did you manage to solve this?

     

    I haven't used the actual article you referenced, but the process seems similar to the one most CSPs have been using. What are you trying to do, exactly? Are you a CSP (via the Partner Center)? Do you have Delegated Admin Permissions to Customer Tenants? Do you have GDAP Relationships set up?

     

    The process I, and I think most CSPs, use is outlined in this post to the forum:

    Configuring the Secure App Model for PowerShell / API / Graph scripting with GDAP for Partners | Microsoft Community Hub

    In particular Nick's post: 

    https://tminus365.com/my-automations-break-with-gdap-the-fix/

     

    You are right, there's not much point if you have to log into each customer tenant and consent to your app. The way around that is to leverage the Partner Center API: after the customer has been added to your CSP Partner Center, and a GDAP relationship established you use the Partner Center API to add the Consent to the Customer's Tenant automatically, using a POST to this endpoint:

    https://api.partnercenter.microsoft.com/v1/customers/$CustomerTenantId/applicationconsents

    and a payload containing the Application Grants (App IDs + API permissions) you want, which causes your App Registration to appear as a pre-consented Enterprise App in the Customer's Tenant. 

     

    If you're doing something else, then I'm not sure. But I think the Partner Center API is what you need to use to add the App to your Customers and ensure it is pre-consented (which is possible due to a pre-existing delegated admin (GDAP) relationship).

    https://learn.microsoft.com/en-us/partner-center/developer/get-started

    Under Security you'll see the sections on GDAP, the https://learn.microsoft.com/en-us/partner-center/developer/secure-app-model-framework, and granting consent:

    https://learn.microsoft.com/en-us/partner-center/developer/control-panel-vendor-apis

     

    I hope that helps, if you're still having issues. If you found an alternate solution or are doing something else please post back so others can learn as well.

    --Saul

     

     

     

    • joakimidland's avatar
      joakimidland
      Copper Contributor
      Mar 20, 2025

      It turned out that I had indeed not discovered this crucial api call to get things going: https://api.partnercenter.microsoft.com/v1/customers/$CustomerTenantId/applicationconsents

      Moreover, I was stuck for a while when trying to find the application registered in the tenant afterwards. As it turns out, there is infact a filter by default in the Enterprise application tab, and it does not show up under any individual Application type filter, it only appears under All Applications.

       

  • JillArmourMicrosoft's avatar
    JillArmourMicrosoft
    Icon for Community Manager rankCommunity Manager
    Jan 15, 2025

    sansbacher seems to be pretty knowledgeable about the tech side of things. Do you happen to know anything about this? 

    I am trying to find the right team to ask about this as well, if I can get an answer, I will post here.

     

    Thanks in advance! 

Resources