About Preconsented applications
Hello, I am trying to more effectively administrate our customers via Microsoft Graph API, and are trying to follow this guide: https://learn.microsoft.com/en-us/graph/auth-cloudsolutionprovider This is where I don't get things working: Additionally, as a partner developer, you can build a partner-managed app to manage your customers' Microsoft services. Partner-managed apps are often called preconsented apps because all your customers are automatically preconsented for your partner-managed apps. This means when a user from one of your customer tenants uses one of your partner-managed apps, the user can use it without being prompted to give consent. Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application. I have attempted to use Microsoft Graph via Powershell, HTTP, both delegated and user-methods, nothing seems to be working. If trying Connect-Mggraph -ClientId "***partnermultitenantappid***" -TenantId "****customertenantid****", I get this error: AADSTS90099: The application '****' (*****) has not been authorized in the tenant '*****'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them. This gets solved if I log in to the tenant directly and add the application as per normal. But that eliminates the whole point about something being pre-consented. I have followed all the steps and I have added the application as a serviceprincipal for the AdminAgents group, which I have confirmed is also assigned to the PartnerRelationship with all permissions. The Partner relationship has all rights minus Global Administrator as part of the steps of troubleshooting the issues ive encountered thus far. What am I missing? Again reading from the article: Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application. Final question: Is it only possible to authenticate to customer tenants with delegated authentication, or is it possible with even application authentication as well?Configuring the Secure App Model for PowerShell / API / Graph scripting with GDAP for Partners
Hi whomever may find this! With the old MS Partner Community Forums going read-only as of March 8th, 2023 I thought I'd post a few useful links here in case someone is searching and unable to post on the old forums. The 2 main GDAP related threads on the old forum that feature info on getting Secure App Model to work with GDAP and the Exchange Online V3 PowerShell module (with the ExO automation App ID: a0c73c16-a7e3-4564-9a95-2bdf47383716 being retired eventually) are: MS Graph/Secure App and GDAP Exch Online V3 and Secure App These are both long threads, lots of info in a meandering kind of way. They disappeared after June 30th, 2023 - so these are links to the Internet Archive's WaybackMachine. But they're how we worked it all out - so useful background. So the best place to find current, step-by-step instructions for getting things to work is this post: My Automations Break with GDAP: The Fix! It appears Nick has collected up all the info from the above 2 links, tested it, and made a fairly complete blog post, so start there. (note: for the ExO V3 stuff you must use the Customer's initial onmicrosoft.com domain for things to work properly) Big thanks to him! Nick has 2 additional posts that may be of interest as well. One on Leveraging APIs for unattended Automation. And one on Updating the GDAP Consents across all your Customers. For some background info you can check out some of these links: The code leverages the The Secure App Model. It can be implemented in PowerShell. Setting it up involves a few steps. But many (most?) of us likely followed Kelvin's post on CyberDrain (or Gavsto has a simple introduction too) ... originally. Though still useful background info these links have lots of outdated info, eg. they still reference Msol and AzureAD commands, but you can still mostly use them to follow along. There's also a post about securely storing secrets, like the RefreshTokens. For CURRENT info, use the link above for GDAP + Secure App Model. Msol/MSOnline doesn't work with GDAP and AzureAD uses the old AzureAD Graph which is also being retired (use MS Graph instead, which works with GDAP). Remember: RefreshTokens are good for 90 days, redeem them for an AccessToken which is good for 60 mins. After 60 mins get another one. Before 90 days are up, get an AccessToken (which always includes a new RefreshToken) and save it instead of the old one. You can repeat that forever. But you may need to restart the process if the account you used initially changes its password - so use a dedicated account. For: Exchange Online and the Exchange Online Management V3 module and you can refer to the posts in this forum, since there are mistakes and omissions in the official MS docs. Main error: use the original .onmicrosoft.com domain as the CustomerTenantID when connecting with Connect-ExchangeOnline If you use their public customer.com or their TenantID (Guid) it will work inconsistently, and you'll have problem writing (reading may work) The Secure App Model mainly uses Delegated permissions, see: App-Only vs Delegated Permissions and there's more info here. Any Graph API calls will list Permissions needed depending on if you're using Delegated or Application, with GET /users/{id} for example. We generally use Delegated since we're accessing on behalf of Customers. You'll need to ensure your Secure App Registration has the required Graph permissions AND so does your customer Consent. Hopefully that helps someone! --Saul [Edited to add the WaybackMachine links and Nick's new posts]
.NET SDK integration
Hey guys I'm trying to hook in the .NET SDK to interact with Partner Center. The documentation seems to be terribly outdated, i.e.: Set up API access in Partner Center - Partner app developer | Microsoft Learn Basically, I am not able to pass the authentication to the Partner Center using whatever. Any up-to-date documentation which would help to see how to do this? Regards, JK
DNS server issue on windows server 2012R2
Hallo, I have problem with DNS server, the DNS server cannot resolv external domain, but if I test ping public IP no problem. I use forwarder and I also test forwarder, there is no problem with forwarder, I check firewall there is not problem with firewall even I have disable firewall. Any sombody help me?
