Question 242401 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Cannot Migrate my CSP application to use granular delegated admin privileges using partner center api

I cannot migrate my CSP APP with the api.partnercenter.microsoft.com/v1/customers/{<customer_id>}/applicationconsents api. I’ve used https://learn.microsoft.com/en-us/partner-center/developer/gdap-and-secure-application-model and https://tminus365.com/my-automations-break-with-gdap-the-fix/ to migrate the CSP app, but i only get resource not found errors.

I did the following:

  1. Ive created the OBO account and via PIM, eligible for global admin when accessing access token.

  2. Added the account to a newly created Security group and added the SG to the Admin relationship with application administrator permissions in the GDAP relation

  3. Created a new App:

  4. Set the permissions on the application
    After the setup I tried to get the access token and tried to consent the app the powershellcmdlet New-PartnerCustomerApplicationConsent, but got the following error: "Resource ” does not exist or one of its queried reference-property objects are not present."

Script used:

$AppId = ''
$AppSecret = ''
$consentscope = 'https://api.partnercenter.microsoft.com/user_impersonation'
$AppCredential = (New-Object System.Management.Automation.PSCredential ($AppId, (ConvertTo-SecureString $AppSecret -AsPlainText -Force)))
$PartnerTenantid = ''
$AppDisplayName = 'test-obo-sp'
# Get PartnerAccessToken token
$PartnerAccessToken = New-PartnerAccessToken -serviceprincipal -ApplicationId $AppId -Credential $AppCredential -Scopes $consentscope -tenant $PartnerTenantid -UseAuthorizationCode

$CustomerTenantId = ''

#create obo consent
$PartnerCenter = Connect-PartnerCenter -AccessToken $PartnerAccessToken.AccessToken
#Grants needed
$MSGraphgrant = New-Object -TypeName Microsoft.Store.PartnerCenter.Models.ApplicationConsents.ApplicationGrant
$MSgraphgrant.EnterpriseApplicationId = "00000003-0000-0000-c000-000000000000"
$MSGraphgrant.Scope = "User.Read.All,"

New-PartnerCustomerApplicationConsent -ApplicationGrants @($MSGraphgrant) -CustomerId $CustomerTenantId -ApplicationId $AppId -DisplayName $appdisplayname`

Error:

Line |
21 | New-PartnerCustomerApplicationConsent -ApplicationGrants @($MSGraphgr …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| { "error": { "code": "Request_ResourceNotFound", "message": "Resource ” does not exist or one of its queried reference-property objects are not present.",
| "innerError": { "date": "2023-09-01T11:20:12", "request-id": "9d9d96e0-4dbc-4dd1-aaed-3af3d6e8e700", "client-request-id":
| "9d9d96e0-4dbc-4dd1-aaed-3af3d6e8e700" } } }

I get the same error via the powershell module aswell as directly via REST

When I try to manually consent the app via a global admin account in the customer tenant (https://login.microsoftonline.com/%7Bcustomertenant%7D.onmicrosoft.com/adminconsent?client_id={appid}), I get no issues. But I have a lot of customers to manage and cant consent them all manually.

Tags:

2

Answers


  1. 0

    We are experiencing the exact same problem. Both the API directly and this command. Only for specific customers. Opened up a case at MS. Will post an update when we managed to get any closer to the solution.

    Login or Signup to reply.
  2. 0

    Also getting the same issue and error.

    I followed https://tminus365.com/my-automations-break-with-gdap-the-fix/ a couple of weeks ago and was all working. Did the same thing this week and have the "resource ” does not exist or one of its queried reference-property objects are not present error"

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search