I ran a script that should automatically define an application through the partner center API and got specific errors with 1 tenant.
I am running the following script
Define the consent scope
$consentscope = 'https://api.partnercenter.microsoft.com/user_impersonation'
Create a PSCredential object with the provided values
$AppCredential = New-Object System.Management.Automation.PSCredential ($AppId, (ConvertTo-SecureString $AppSecret -AsPlainText -Force))
Get PartnerAccessToken token
$PartnerAccessToken = New-PartnerAccessToken -serviceprincipal -ApplicationId $AppId -Credential $AppCredential -Scopes $consentscope -tenant $PartnerTenantid -UseAuthorizationCode
Connect to PartnerCenter with the AccessToken
$PartnerCenter = Connect-PartnerCenter -AccessToken $PartnerAccessToken.AccessToken
Define the customer TenantID
$CustomerTenantId = '"sample ID"'
Define the application grants with expanded scopes
$MSGraphgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant $MSGraphgrant.EnterpriseApplicationId = "00000003-0000-0000-c000-000000000000" $MSGraphgrant.Scope = "User.ReadWrite.All, Directory.ReadWrite.All, License.ReadWrite.All"
$ExOgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant $ExOgrant.EnterpriseApplicationId = "00000002-0000-0ff1-ce00-000000000000" $ExOgrant.Scope = "Exchange.Manage"
Create a new consent for the customer
New-PartnerCustomerApplicationConsent -ApplicationGrants @($MSGraphgrant, $ExOgrant) -CustomerId $CustomerTenantId -ApplicationId $AppId -DisplayName $AppDisplayName
This is working and creating the consent succesfully for me with all tenants in my multitenant except for one specific tenant. At first I got this error: New-PartnerCustomerApplicationConsent : { "type": "MsalUiRequiredException", "error_code": "invalid_grant", "error_description": "AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 810e03f7-3a6b-462a-a3ea-6d7e2dbaac00 Correlation ID: aec144b1-92d1-421e-9880-e77c4516fee6 Timestamp: 2024-01-17 08:44:52Z", "claims": "{"access_token":{"capolids":{"essential":true,"values":["b9331cd7-cd9d-40a8-84bb-652b51608815"]}}}", "response_body": "{"error":"invalid_grant","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. Trace ID: 810e03f7-3a6b-462a-a3ea-6d7e2dbaac00 Correlation ID: aec144b1-92d1-421e-9880-e77c4516fee6 Timestamp: 2024-01-17 08:44:52Z","error_codes":[53003],"timestamp":"2024-01-17 08:44:52Z","trace_id":"810e03f7-3a6b-462a-a3e a-6d7e2dbaac00","correlation_id":"aec144b1-92d1-421e-9880-e77c4516fee6","error_uri":"https://login.microsoftonline.com/error?code=53003","suberror":"message_only","claims":"{\"access_token\":{\"capolids \":{\"essential\":true,\"values\":[\"b9331cd7-cd9d-40a8-84bb-652b51608815\"]}}}"}", "correlation_id": "aec144b1-92d1-421e-9880-e77c4516fee6", "sub_error": "message_only" }
After disabling the one conditional access policy in the tenant (which shouldn't have affected it regardless), I now see this error: New-PartnerCustomerApplicationConsent : Exception of type 'Providers.Common.V1.CoreException' was thrown. At C:\Users\benp_support\OneDrive - Allegronet\Desktop\ExportAllLicenses\Consent_New_Tenant.ps1:32 char:1
- New-PartnerCustomerApplicationConsent -ApplicationGrants @($MSGraphgr ...
-
+ CategoryInfo : CloseError: (:) [New-PartnerCustomerApplicationConsent], PartnerException + FullyQualifiedErrorId : Microsoft.Store.PartnerCenter.PowerShell.Commands.NewPartnerCustomerApplicationConsent
How can I resolve this error? The script worked for me for hundreds of other tenants. For reference, I used the guide here to help me set this up: https://tminus365.com/my-automations-break-with-gdap-the-fix/
If anyone can elucidate here for me I would greatly appreciate it.