Hi,
My application retrieves unified audit logs data via management API, which requires a Microsoft 365 license. However, I'm investigating a tenant who does not have a Microsoft 365 license, and only has license: AAD_PREMIUM, which contains the following service plans: ADALLOM_S_DISCOVERY, EXCHANGE_S_FOUNDATION, AAD_PREMIUM, and MFA_PREMIUM, To ensure I can access the unified audit logs data via management API, I first create a ConfidentialClientApplicationBuilder using Microsoft.Identity.Client 4.22.0, and make a token request for the client.
Because this tenant does not have a Microsoft 365 license, the behavior I expect would be that it returns the following error when retrieving the access token:
'MSAL.NetCore.4.61.3.0.MSalServiceException: ErrorCode: invalid_resource Microsoft.Identity.Client.MSalServiceException: AADSTS500014: The service principal for resource 'https://manage.office.com' is disabled. This indicate that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it.'
However, it is able to successfully retrieve the access token, and instead only throws an error when attempting to access the endpoint (somewhat redacted).
'"error":{"code":"StartSubscription [CorrId=[]][TenantId=[],ContentType=Audit.AzureActiveDirectory.ApplicationId=[],PublisherId=[]][AppId","message":"[]] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant [] does not exist."'
This error message is misleading, as "Tenant [] does not exist." is the error message seen when UnifiedAuditLogsIngestionEnabled needs to be turned on, but the tenant in question is unable to turn on UnifiedAuditLogIngestionEnabled in their Azure account, as they do not have Microsoft 365.
I believe the authentication is passed because of the service plan EXCHANGE_S_FOUNDATION, and that this plan may have some kind of configuration for Office365 without actually enabling the service, which allows me to authenticate the access token, but fails to ever allow me to pull the data successfully. As I understand it, Exchange Foundation licenses are stripped down licenses that don't allow for normal e-mail access, but can set aside storage space and enable some features that are a part of the exchange product stack.
https://www.reddit.com/r/Office365/comments/x2nbcw/what_is_the_exchange_foundation_license/
Can you please confirm/deny my assumption about EXCHANGE_S_FOUNDATION having some kind of configuration for Office365, allowing it to authenticate the access token for Management API? And if so, can you please help me understand if this is intended, and why it's returning the same error message ("Tenant [] does not exist") that is returned when UnifiedAuditLogsIngestion is not enabled, but the tenant in question is not able to turn this feature on since they don't have 365? Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 57.99999999999999%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
