Forum Discussion

joakimidland's avatar
joakimidland
Copper Contributor
Jan 14, 2025

About Preconsented applications

Hello, 

I am trying to more effectively administrate our customers via Microsoft Graph API, and are trying to follow this guide: https://learn.microsoft.com/en-us/graph/auth-cloudsolutionprovider

This is where I don't get things working: 

Additionally, as a partner developer, you can build a partner-managed app to manage your customers' Microsoft services. Partner-managed apps are often called preconsented apps because all your customers are automatically preconsented for your partner-managed apps. This means when a user from one of your customer tenants uses one of your partner-managed apps, the user can use it without being prompted to give consent. Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.


I have attempted to use Microsoft Graph via Powershell, HTTP, both delegated and user-methods, nothing seems to be working. If trying Connect-Mggraph -ClientId "***partnermultitenantappid***" -TenantId "****customertenantid****", I get this error:

AADSTS90099: The application '****' (*****) has not been authorized in the tenant '*****'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.

This gets solved if I log in to the tenant directly and add the application as per normal. But that eliminates the whole point about something being pre-consented.

I have followed all the steps and I have added the application as a serviceprincipal for the AdminAgents group, which I have confirmed is also assigned to the PartnerRelationship with all permissions. The Partner relationship has all rights minus Global Administrator as part of the steps of troubleshooting the issues ive encountered thus far.

 

What am I missing? Again reading from the article: Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.

 

Final question: Is it only possible to authenticate to customer tenants with delegated authentication, or is it possible with even application authentication as well?

  • sansbacher seems to be pretty knowledgeable about the tech side of things. Do you happen to know anything about this? 

    I am trying to find the right team to ask about this as well, if I can get an answer, I will post here.

     

    Thanks in advance! 

Resources