Accessing Partner Center customers via API
First off, my question is equivalent to this post on the MS forums, but nobody has resolved it.
I am trying to get access to any API that allows me to view user counts for all our customers, Graph or Partner Center API.
My two basic requirements:
- Read the full list of customers from Partner Center
- Be able to use a single App credential to generate a Graph API access token for any Partner Center customer to access their user lists.
I've read the docs for the Partner Center API and I am following the REST authentication example, but the Partner Center API returns a 403 error no matter how I try to authenticate.
I am using OAuth 2.0 to authenticate with the https://login.microsoftonline.com/{tenantId}/oauth2/token route with grant_type: client_credentials and resource: https://graph.windows.net, as stated in the documentation linked above.
This successfully returns a token, however when I use that as Bearer for the https://api.partnercenter.microsoft.com/v1/customers route, I get a 403 Forbidden error.
I've also found this other token route that is not referenced in other documentation. When I try sending a POST to https://api.partnercenter.microsoft.com/generatetoken with this access token as bearer and grant_type: jwt_token, I get back {"error": "invalid_grant", "error_description": "Invalid authorization bearer is passed"}.
The error "The client application TenantID is missing service principal in the tenant CustomerTenantID" usually occurs if the Multitenant application is not present in the Customer Tenant as Service principal.
To access all tenants with the same application, check the below:
Assuming your tenant as TenantA and customer tenant as CustomerTenant
Created a multi-tenant application in TenantA by selecting "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" and grant User.Read.All Microsoft Graph API permission:
Now to resolve the error, make use of below endpoint and login with the CustomerTenant Global Admin account, so that it creates Service Principal in CustomerTenant*:
https://login.microsoftonline.com/CustomerTenantTenantID/adminconsent?client_id=ClientIDOFAPPinTenantA
OR
https://login.microsoftonline.com/organizations/adminconsent?client_id=ClientIDOFAPPinTenantA
Once, you click on Accept and go to CustomerTenant -> Enterprise applications -> Search the application:
The service principal is created in the CustomerTenant and the API permissions is granted:
Now generate the access token for Microsoft Graph API to access users of CustomerTenant
GET https://graph.microsoft.com/v1.0/users
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/organizations/oauth2/v2.0/token
Client ID : ClientID
Client Secret : ClientSecret
Scope: https://graph.microsoft.com/.default
I logged in with the CustomerTenant account and able to get the user details for the CustomerTenant successfully:
Now to test, I logged with TenantA account and got the users of TenantA :
- You can also directly generate the access token using
CustomerTenantglobal admin account and you will get the consent screen to accept the permissions instead of creating the service principal by the endpoint. - You can make use of refresh token model to access customers in Microsoft Partner Center. Refer this SO Thread by me.
References:
azure - Search User Information Across different Microsoft Tenants - Stack Overflow by Tiny Wang
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?