-
|
I'm not able to get the tenant access check working. When i run the permission check it says it is all good. But when do an access check on any of the tenants it gives me a bad request. I searched in the documentation but I was not able to find the cause. Is there a solution for this problem? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
This occurs if you haven't done one of the following; your Secure Application Model consent; when setting up the secure application model, 3 consent forms will be requested: one that popups, one with a device code, and one that results in a 404. You'll have to accept them all. the user you used is not a global admin; you must have global admin permissions at time of running the secure application model script. the user you used is not an adminagent; you must be a existing partner, and your user must be in the adminagents group beforehand. You can also check exactly what's going on by running the secure application model examples scripts on the same page. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your reply. I checked the solutions you provided. The secure app model worked. I had 3 popups and accepted them all. After that i granted admin consent for the permissions. The partner roles seems to be fine. The user is Global admin and Admin Agent. And what exactly do you mean with examples scripts on the same page? |
Beta Was this translation helpful? Give feedback.
-
|
If you scroll down on the page you've used to create the secure application model app, you see a couple of example scripts. for example; $ApplicationId = 'xxxx-xxxx-xxx-xxxx-xxxx'
$ApplicationSecret = 'TheSecretTheSecrey' | Convertto-SecureString -AsPlainText -Force
$TenantID = 'YourTenantID'
$RefreshToken = 'RefreshToken'
$ExchangeRefreshToken = 'ExchangeRefreshToken'
$upn = 'UPN-Used-To-Generate-Tokens'
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach($customer in $customers){
$token = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716'-RefreshToken $ExchangeRefreshToken -Scopes 'https://outlook.office365.com/.default' -Tenant $customer.TenantId
$tokenValue = ConvertTo-SecureString "Bearer $($token.AccessToken)" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
$customerId = $customer.DefaultDomainName
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($customerId)&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection
Import-PSSession $session
#From here you can enter your own commands
get-mailbox
#end of commands
Remove-PSSession $session
}if you run this, you should be getting 0 errors, if you do get errors then you need to investigate the source of this. e.g. conditional access policies blocking you, or other authentication issues. :) |
Beta Was this translation helpful? Give feedback.
-
|
I've added this script to the documentation to troubleshoot, feel free to use that one: $ApplicationId = 'xxxx-xxxx-xxx-xxxx-xxxx'
$ApplicationSecret = 'TheSecretTheSecrey' | ConvertTo-SecureString -AsPlainText -Force
$TenantID = 'YourTenantID'
$RefreshToken = 'RefreshToken'
$ExchangeRefreshToken = 'ExchangeRefreshToken'
$upn = 'UPN-Used-To-Generate-Tokens'
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, $ApplicationSecret)
$aadGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.windows.net/.default' -ServicePrincipal -Tenant $tenantID
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $tenantID
Connect-MsolService -AdGraphAccessToken $aadGraphToken.AccessToken -MsGraphAccessToken $graphToken.AccessToken
$customers = Get-MsolPartnerContract -All
foreach ($customer in $customers) {
try {
$Baseuri = "https://graph.microsoft.com/beta"
$CustGraphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes "https://graph.microsoft.com/.default" -ServicePrincipal -Tenant $CustomerTenant
$Header = @{
Authorization = "Bearer $($CustGraphToken.AccessToken)"
}
$SecureDefaultsState = (Invoke-RestMethod -Uri "$baseuri/policies/identitySecurityDefaultsEnforcementPolicy" -Headers $Header -Method get -ContentType "application/json")
}
catch {
Write-Error "Could not connect to Graph API for $($customer.DefaultDomainName). $_"
}
try {
$token = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716'-RefreshToken $ExchangeRefreshToken -Scopes 'https://outlook.office365.com/.default' -Tenant $customer.TenantId
$tokenValue = ConvertTo-SecureString "Bearer $($token.AccessToken)" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
$customerId = $customer.DefaultDomainName
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($customerId)&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection
$session = Import-PSSession $session
#From here you can enter your own commands
$Exchange = get-mailbox
#end of commands
$PSSession = Remove-PSSession $session
}
catch {
Write-Error "Could not connect to Exchange for $($customer.DefaultDomainName). $_"
}
} |
Beta Was this translation helpful? Give feedback.
-
|
It seems that the problem is fixed. I created a new secure application. The tenant access is now successvol. The problem seems to be solved |
Beta Was this translation helpful? Give feedback.
It seems that the problem is fixed. I created a new secure application.
What i did this time is to force MFA on the user when loggin in (we are using CA).
The tenant access is now successvol. The problem seems to be solved