No more Graph API rights for new customers tenants with GDAP

Copper Contributor



We use a powershell script with the Graph module to administer the users of our M365 clients who each have a dedicated tenant with a GDAP.
We use App authentication which has all the necessary rights.


For all existing tenants:



For new tenants:




Any idea?


4 Replies

Hi @Arnaud_K 


This post is not related to the CSP program & your labels should relate to your subject matter. Ex: GDAP and M365 would be correct labels. 


This post can be moved to the Business Applications community (since there is no Modern Works community). 




Microsoft CSP Licensing Concierge


Hi @Arnaud_K 


Thank you for posting to the community!:smile:


Is this what you're looking for Granular delegated admin privileges (GDAP) API overview - Microsoft Graph v1.0 | Microsoft Learn


Or, is this?  Work with Graph Explorer - Microsoft Graph | Microsoft Learn


If the links above do not answer your question, please let me know. 



If this reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, please let me know if you need further assistance on this topic.


Microsoft CSP Licensing Concierge


@sansbacher do you know anything about this by chance? :)

@Jill_Armour_Microsoft and @Arnaud_K,


You usually need AppPlusUser authentication to leverage Delegated rights for your customers. In your screenshot the new tenant appears to be missing the Scopes. Did you provision your AzureAD/Entra Enterprise App in your tenant? Did you add the Consent in the Customer's tenant (It'll be under their AAD, under Enterprise Applications, set Application Type = "All Applications" (or clear the filter) to view)


I don't know why it would work for existing but not new tenants (as DAP should have been removed a while ago). I would step through the process of creating your App and adding the Consents to the new Tenants and see if a step was missed.


There's a bunch of info/links in this post:


The bulk of the (current) info is Nick's post:


If you have deployed the App/Consents to the customers and now need to update he has a follow-up post on updating them:


The principles are the same for using the Graph API and the Graph PowerShell SDK. You should be able to connect to your Customers with Get-MgUser just fine using Refresh and Access Tokens.