Forum Discussion
About Preconsented applications
Hello,
I am trying to more effectively administrate our customers via Microsoft Graph API, and are trying to follow this guide: https://learn.microsoft.com/en-us/graph/auth-cloudsolutionprovider
This is where I don't get things working:
Additionally, as a partner developer, you can build a partner-managed app to manage your customers' Microsoft services. Partner-managed apps are often called preconsented apps because all your customers are automatically preconsented for your partner-managed apps. This means when a user from one of your customer tenants uses one of your partner-managed apps, the user can use it without being prompted to give consent. Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.
I have attempted to use Microsoft Graph via Powershell, HTTP, both delegated and user-methods, nothing seems to be working. If trying Connect-Mggraph -ClientId "***partnermultitenantappid***" -TenantId "****customertenantid****", I get this error:
AADSTS90099: The application '****' (*****) has not been authorized in the tenant '*****'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.
This gets solved if I log in to the tenant directly and add the application as per normal. But that eliminates the whole point about something being pre-consented.
I have followed all the steps and I have added the application as a serviceprincipal for the AdminAgents group, which I have confirmed is also assigned to the PartnerRelationship with all permissions. The Partner relationship has all rights minus Global Administrator as part of the steps of troubleshooting the issues ive encountered thus far.
What am I missing? Again reading from the article: Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.
Final question: Is it only possible to authenticate to customer tenants with delegated authentication, or is it possible with even application authentication as well?
4 Replies
Hi joakimidland I was just going though old emails and noticed Jill had tagged me on this. Did you manage to solve this?
I haven't used the actual article you referenced, but the process seems similar to the one most CSPs have been using. What are you trying to do, exactly? Are you a CSP (via the Partner Center)? Do you have Delegated Admin Permissions to Customer Tenants? Do you have GDAP Relationships set up?
The process I, and I think most CSPs, use is outlined in this post to the forum:
In particular Nick's post:
https://tminus365.com/my-automations-break-with-gdap-the-fix/
You are right, there's not much point if you have to log into each customer tenant and consent to your app. The way around that is to leverage the Partner Center API: after the customer has been added to your CSP Partner Center, and a GDAP relationship established you use the Partner Center API to add the Consent to the Customer's Tenant automatically, using a POST to this endpoint:
https://api.partnercenter.microsoft.com/v1/customers/${CustomerTenantId}/applicationconsents
and a payload containing the Application Grants (App IDs + API permissions) you want, which causes your App Registration to appear as a pre-consented Enterprise App in the Customer's Tenant.
If you're doing something else, then I'm not sure. But I think the Partner Center API is what you need to use to add the App to your Customers and ensure it is pre-consented (which is possible due to a pre-existing delegated admin (GDAP) relationship).
https://learn.microsoft.com/en-us/partner-center/developer/get-started
Under Security you'll see the sections on GDAP, the Secure App Model, and granting consent:
https://learn.microsoft.com/en-us/partner-center/developer/control-panel-vendor-apis
I hope that helps, if you're still having issues. If you found an alternate solution or are doing something else please post back so others can learn as well.
--Saul
- JillArmourMicrosoft
Community Manager
Thanks sansbacher !
It turned out that I had indeed not discovered this crucial api call to get things going: https://api.partnercenter.microsoft.com/v1/customers/${CustomerTenantId}/applicationconsents
Moreover, I was stuck for a while when trying to find the application registered in the tenant afterwards. As it turns out, there is infact a filter by default in the Enterprise application tab, and it does not show up under any individual Application type filter, it only appears under All Applications.
- JillArmourMicrosoft
sansbacher seems to be pretty knowledgeable about the tech side of things. Do you happen to know anything about this?
I am trying to find the right team to ask about this as well, if I can get an answer, I will post here.
Thanks in advance!
