Forum Discussion

JaySivaloganathan's avatar
JaySivaloganathan
Copper Contributor
Oct 15, 2024

Microsoft Partner Center API - 401 Unauthorized when using access token

I am attempting to retrieve the list of customers from the Microsoft Partner Center API, but I am consistently receiving a 401 Unauthorized error when using the access token obtained from the Microsoft identity platform.

Steps to Reproduce:

  1. Requesting Access Token

    I successfully obtained an access token using the following POST request:

POST https://login.microsoftonline.com/<tenant_id>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
grant_type=client_credentials
&client_id=<your_client_id>
&client_secret=<your_client_secret>
&resource= https://api.partner.microsoft.com

In response, I receive a valid access token.

  1. Calling Partner Center API
    I am then using the token in the following API request to retrieve customer information:
GET https://api.partnercenter.microsoft.com/v1/customers
Authorization: Bearer <access_token>
Content-Type: application/json

  1. Issue

    The response to the above GET request is as follows:

HTTP/1.1 401 Unauthorized
Content-Length: 0

Could you please assist in identifying why I am receiving the 401 Unauthorized error and what steps can be taken to resolve this issue?

Canada

4 Replies

Sort By
    • sansbacher's avatar
      sansbacher
      Brass Contributor
      Oct 18, 2024

      @JaySivaloganathan,

       

      Unfortunately I don't use grant_type=client_credentials, I don't know if that's possible with the delegated permission structure for GDAP to access Customers. I, like most people I think, use grant_type=resource_token. Where you obtain a RefreshToken (good for 90 days, but can be renewed whenever obtaining an AccessToken) and then redeem that an AccessToken (good for 60 mins) when needing to access the Partner Center or any Customer APIs.

       

      If you are JUST trying to access the Partner Center APIs (and not connect to any Customer resources) you may be able to use client_credentials, but I've not tried.

       

      Things to check: What permissions / scopes have you added to your Client App (the one referenced by your client_id)? You have not passed a scope= in your POST, what is the default scope in the data returned? I tried your POST request (using my App ID, which is also in Canada, but as I said: is set up for Refresh Token usage) and the resource ends up being the MS Graph's AppID:

       

      Check your AccessToken using https://jwt.io/ and see what the "aud" is. I tried making a request against https://graph.microsoft.com/v1.0/users and it didn't return a 401, but instead a "InvalidAuthenticationToken" error -- because the resource was wrong of course.

       

      Try adding resource=https://api.partner.microsoft.com to your request. When you do that you should get this back:

       

      And the "aud" in the AccessToken matches.

       

      I still couldn't GET the data you wanted, but as I said my setup is based around Refresh Tokens. For info on that, see: https://techcommunity.microsoft.com/t5/partner-led-questions-tech/configuring-the-secure-app-model-for-powershell-api-graph/m-p/3820555

       

      Hopefully some of that helps. If not, try working through the links in the above link and configuring things using Refresh Tokens.

       

        --Saul

       

       

       

       

Resources