How to fix error 403 Forbidden when accessing partner center API to retrieve customers and users
Am currently battling error 403 forbidden in my partner center API requests and am unable to know what i might be missing or doing wrong.
I have followed Microsoft documentation but still same issue.
My End Goal
To be able to retrieve customers and view users in customer tenants that i manage and export the results into a csv file(same information visible in partner center under customer workspace) using partner center APIs. I'm using PowerShell to achieve this. Below is the endpoint URLs that is documented to call.
GET https://api.partnercenter.microsoft.com/v{version}/customers to list customers from partner center
GET https://api.partnercenter.microsoft.com/v1/customers/<customer-tenant-id> to list users in customer tenant from partner center
What i have done in my environment.
My partner center type is
CSP, indirect provider - cloud reseller.My account in partner center has
Global admin, admin agents, sales agent roles(infact all available roles assigned)I created an app registration of type
Accounts in this organizational directory only (myorgname - Single tenant)andRedirect URI set to webThe app registration is assigned three
delegated permission
I associated the app registration i created above inside partner center and assigned it
Owner plus manager rolems docAm able to successfully authenticate to my partner center API thanks to support here, that is i can successfully get a
refresh token, connect to partner centerusing the refresh token and even use therefresh token to generate a new access token(valid 90 days), which i can use asBearer for REST API callI can view my customers from the customers workspace in partner center using GUI.
Issue
When i run an API request to either of this endpoints GET https://api.partnercenter.microsoft.com/v1/customers or GET https://api.partnercenter.microsoft.com/v1/customers/<customer-tenant-id>, either using REST API flow or PowerShell SDK i get 403 forbidden.
$mynewtoken = "new token requested using refresh token"
$url = "https://api.partnercenter.microsoft.com/v1/customers"
$headers = @{
"Authorization" = "Bearer $mynewtoken"
"Accept" = "application/json"
}
$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response
or
$customers = Get-PartnerCustomer
$customers | ForEach-Object {
Write-Output "Customer ID: $($_.CustomerId), Company Name: $($_.CompanyProfile.CompanyName)"
}
Posting the answer to help community, to resolve the error execute the PowerShell script as a normal user and set the execution policy as unrestricted:
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
I am able to execute the script successfully:
$appId = "AppID"
$appSecret = ConvertTo-SecureString -String "Secret" -AsPlainText -Force
$tenantId = "TenantID"
$credential = [PSCredential]::new($appId, $appSecret)
$tokenSplat = @{
ApplicationId = $appId
Credential = $credential
Scopes = "https://api.partnercenter.microsoft.com/user_impersonation"
ServicePrincipal = $true
TenantId = $tenantId
UseAuthorizationCode = $true
}
$token = New-PartnerAccessToken @tokenSplat
$token.RefreshToken
$connectSplat = @{
ApplicationId = $appId
Credential = $credential
RefreshToken = $token.RefreshToken
}
Connect-PartnerCenter @connectSplat
Get-PartnerRole
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions