No more Graph API rights for new customers tenants with GDAP

Copper Contributor

Hi,

 

We use a powershell script with the Graph module to administer the users of our M365 clients who each have a dedicated tenant with a GDAP.
We use App authentication which has all the necessary rights.

 

For all existing tenants:

Arnaud_K_3-1702026049088.png

 

For new tenants:

Arnaud_K_4-1702026063152.png

 

 

Any idea?

 

4 Replies

Hi @Arnaud_K 

 

This post is not related to the CSP program & your labels should relate to your subject matter. Ex: GDAP and M365 would be correct labels. 

 

This post can be moved to the Business Applications community (since there is no Modern Works community). 

 

 

Regards,

Microsoft CSP Licensing Concierge

 

Hi @Arnaud_K 

 

Thank you for posting to the community!:smile:

 

Is this what you're looking for Granular delegated admin privileges (GDAP) API overview - Microsoft Graph v1.0 | Microsoft Learn

 

Or, is this?  Work with Graph Explorer - Microsoft Graph | Microsoft Learn

 

If the links above do not answer your question, please let me know. 

 

 

If this reply answers your question, please Accept as the solution to help the other members find it more quickly. Otherwise, please let me know if you need further assistance on this topic.


Regards,

Microsoft CSP Licensing Concierge

 

@sansbacher do you know anything about this by chance? :)

@Jill_Armour_Microsoft and @Arnaud_K,

 

You usually need AppPlusUser authentication to leverage Delegated rights for your customers. In your screenshot the new tenant appears to be missing the Scopes. Did you provision your AzureAD/Entra Enterprise App in your tenant? Did you add the Consent in the Customer's tenant (It'll be under their AAD, under Enterprise Applications, set Application Type = "All Applications" (or clear the filter) to view)

 

I don't know why it would work for existing but not new tenants (as DAP should have been removed a while ago). I would step through the process of creating your App and adding the Consents to the new Tenants and see if a step was missed.

 

There's a bunch of info/links in this post:

https://techcommunity.microsoft.com/t5/partner-led-tech-topics/configuring-the-secure-app-model-for-...

 

The bulk of the (current) info is Nick's post:

https://tminus365.com/my-automations-break-with-gdap-the-fix/

 

If you have deployed the App/Consents to the customers and now need to update he has a follow-up post on updating them:

https://tminus365.com/gdap-multi-tenant-automation/

 

The principles are the same for using the Graph API and the Graph PowerShell SDK. You should be able to connect to your Customers with Get-MgUser just fine using Refresh and Access Tokens.

 

    --Saul