About Preconsented applications
Hello, I am trying to more effectively administrate our customers via Microsoft Graph API, and are trying to follow this guide: https://learn.microsoft.com/en-us/graph/auth-cloudsolutionprovider This is where I don't get things working: Additionally, as a partner developer, you can build a partner-managed app to manage your customers' Microsoft services. Partner-managed apps are often called preconsented apps because all your customers are automatically preconsented for your partner-managed apps. This means when a user from one of your customer tenants uses one of your partner-managed apps, the user can use it without being prompted to give consent. Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application. I have attempted to use Microsoft Graph via Powershell, HTTP, both delegated and user-methods, nothing seems to be working. If trying Connect-Mggraph -ClientId "***partnermultitenantappid***" -TenantId "****customertenantid****", I get this error: AADSTS90099: The application '****' (*****) has not been authorized in the tenant '*****'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them. This gets solved if I log in to the tenant directly and add the application as per normal. But that eliminates the whole point about something being pre-consented. I have followed all the steps and I have added the application as a serviceprincipal for the AdminAgents group, which I have confirmed is also assigned to the PartnerRelationship with all permissions. The Partner relationship has all rights minus Global Administrator as part of the steps of troubleshooting the issues ive encountered thus far. What am I missing? Again reading from the article: Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application. Final question: Is it only possible to authenticate to customer tenants with delegated authentication, or is it possible with even application authentication as well?
GDAP renewal time is approaching
Hi all, The relationships we created two years ago are due for renewal soon, and I'm curious how other people are approaching the creation of new relationships. With the introduction of relationships that auto renew, have you found this to be a beneficial alternative? We are a Managed Service Provider and our customers want us to turn ALL the knobs in the Microsoft portals for them. I want to have the flexibility of techs only enabling the roles they need, but there are a LOT of roles. Creating a relationship with 34 roles is a bit extreme. Plus, it looks like we need 43 built-in roles to have the same level as access as Global Admin, and some of those roles are not available via GDAP today. The role that stands out the most is "Organizational Branding Administrator." Can another role that is available through GDAP change sign-in branding? What would partners think if Microsoft allowed the Global Admin role to auto-renew until Microsoft adds all the built in roles to GDAP roles needed to replace Global Admin? Maybe put some sort of extra warning on the role acceptance side advising the client this is not recommended and let the client make that informed choice themselves? What do you think customers opinion of this move would be? From my conversations with different people, I am under the impression that customers didn't want Microsoft to allow partners the option of letting the Global Admin role auto-renew. I am curious what the customers were looking to address with this approach and if there is another way. I look forward to reading your thoughts and experiences!Configuring the Secure App Model for PowerShell / API / Graph scripting with GDAP for Partners
Hi whomever may find this! With the old MS Partner Community Forums going read-only as of March 8th, 2023 I thought I'd post a few useful links here in case someone is searching and unable to post on the old forums. The 2 main GDAP related threads on the old forum that feature info on getting Secure App Model to work with GDAP and the Exchange Online V3 PowerShell module (with the ExO automation App ID: a0c73c16-a7e3-4564-9a95-2bdf47383716 being retired eventually) are: MS Graph/Secure App and GDAP Exch Online V3 and Secure App These are both long threads, lots of info in a meandering kind of way. They disappeared after June 30th, 2023 - so these are links to the Internet Archive's WaybackMachine. But they're how we worked it all out - so useful background. So the best place to find current, step-by-step instructions for getting things to work is this post: My Automations Break with GDAP: The Fix! It appears Nick has collected up all the info from the above 2 links, tested it, and made a fairly complete blog post, so start there. (note: for the ExO V3 stuff you must use the Customer's initial onmicrosoft.com domain for things to work properly) Big thanks to him! Nick has 2 additional posts that may be of interest as well. One on Leveraging APIs for unattended Automation. And one on Updating the GDAP Consents across all your Customers. For some background info you can check out some of these links: The code leverages the The Secure App Model. It can be implemented in PowerShell. Setting it up involves a few steps. But many (most?) of us likely followed Kelvin's post on CyberDrain (or Gavsto has a simple introduction too) ... originally. Though still useful background info these links have lots of outdated info, eg. they still reference Msol and AzureAD commands, but you can still mostly use them to follow along. There's also a post about securely storing secrets, like the RefreshTokens. For CURRENT info, use the link above for GDAP + Secure App Model. Msol/MSOnline doesn't work with GDAP and AzureAD uses the old AzureAD Graph which is also being retired (use MS Graph instead, which works with GDAP). Remember: RefreshTokens are good for 90 days, redeem them for an AccessToken which is good for 60 mins. After 60 mins get another one. Before 90 days are up, get an AccessToken (which always includes a new RefreshToken) and save it instead of the old one. You can repeat that forever. But you may need to restart the process if the account you used initially changes its password - so use a dedicated account. For: Exchange Online and the Exchange Online Management V3 module and you can refer to the posts in this forum, since there are mistakes and omissions in the official MS docs. Main error: use the original .onmicrosoft.com domain as the CustomerTenantID when connecting with Connect-ExchangeOnline If you use their public customer.com or their TenantID (Guid) it will work inconsistently, and you'll have problem writing (reading may work) The Secure App Model mainly uses Delegated permissions, see: App-Only vs Delegated Permissions and there's more info here. Any Graph API calls will list Permissions needed depending on if you're using Delegated or Application, with GET /users/{id} for example. We generally use Delegated since we're accessing on behalf of Customers. You'll need to ensure your Secure App Registration has the required Graph permissions AND so does your customer Consent. Hopefully that helps someone! --Saul [Edited to add the WaybackMachine links and Nick's new posts]
Create GDAP ForeignPrincipal RBAC on Azure Subscriptions without Reseller relationship
Hi Partner team, We'd like to see some improvements made to GDAP + Azure when supporting workloads in regions outside of the CSP support regions/markets. Foreign Principal Objects (FPO) should be created in the destination tenant when establishing a GDAP relationship, not just a Reseller relationship. As a partner in one country, I can't support an Azure Subscription using GDAP in a remote tenancy. The only workaround is Guest Users (which conflicts with users who are GDAP for other non-Azure workloads) or new accounts. Regards,
Microsoft Startup Program and Tenant Onboarding - Will that count for Solution Partner levelup?
Hello Partners, We have a customer who got enrolled and approved for Microsoft Startup program. They are currently not having anything on Microsoft and requested the support from my company, being a Microsoft Partner. We are preparing to level up and attain Solution Partner on Modern Work (SMB Track) this year. Does this effort on customer onboarding or product onboarding will help us on any of the categories which are considered as the eligibility? Thanks, Akhila
DNS server issue on windows server 2012R2
Hallo, I have problem with DNS server, the DNS server cannot resolv external domain, but if I test ping public IP no problem. I use forwarder and I also test forwarder, there is no problem with forwarder, I check firewall there is not problem with firewall even I have disable firewall. Any sombody help me?
