This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 90%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi,
We've been implementing the Secure Application Model Flow with varying success. Our goal is to access the customer tenants on behalf of the CSP partner. The step that regularly fails is the step where we grant consent to our application on behalf of the customer.
Once this request to the Partner Center API /applicationconsents endpoint starts failing for a customer tenant, it seems we can never get it back to a working state, and keep receiving the following response.
Even after recreating everything (the application, the service account and a new GDAP relationship), we keep getting the same error.
For some customers our implementations works just fine, for others it doesn't - or even stops working after a while.
This is the request:
POST https://api.partnercenter.microsoft.com/v1/customers/customer tenant id/applicationconsents
{
"DisplayName": "Partner App Name",
"ApplicationId": "partner app/client id",
"ApplicationGrants": [
{
"EnterpriseApplicationId": "00000003-0000-0000-c000-000000000000",
"Scope": "Directory.Read.All,User.Read,Organization.Read.All"
}
]
}
and the response is like this:
{
"code": 400,
"message": "{\r\n \"error\": {\r\n \"code\": \"Authorization_RequestDenied\",\r\n \"message\": \"Insufficient privileges to complete the operation.\",\r\n \"innerError\": {\r\n \"date\": \"2023-10-11T10:17:55\",\r\n \"request-id\": \"f283169e-f664-4f6e-8b83-047f403ab8ad\",\r\n \"client-request-id\": \"f283169e-f664-4f6e-8b83-047f403ab8ad\"\r\n }\r\n }\r\n}",
"description": "{\r\n \"error\": {\r\n \"code\": \"Authorization_RequestDenied\",\r\n \"message\": \"Insufficient privileges to complete the operation.\",\r\n \"innerError\": {\r\n \"date\": \"2023-10-11T10:17:55\",\r\n \"request-id\": \"f283169e-f664-4f6e-8b83-047f403ab8ad\",\r\n \"client-request-id\": \"f283169e-f664-4f6e-8b83-047f403ab8ad\"\r\n }\r\n }\r\n}",
"errorName": "BadRequest",
"isRetryable": false,
"parameters": {}
}
Unfortunately, this does not help us very much. Does anyone know how we can find out the reason for this Authorization_RequestDenied error?
We have double checked the user permissions, the application permissions and the GDAP roles that are assigned, and they should be correct. They worked before so we're fairly sure it's all set up correctly.
We are working according to the instructions found here: https://learn.microsoft.com/en-us/partner-center/developer/gdap-and-secure-application-model#use-of-an-admin-account-to-provide-consent-on-behalf-of-users-in-the-secure-application-model
Where could we go and find more information about these request-id's that are referenced in the output, for example? We checked our Audit Logs in Microsoft Entra, but there's no event logged there that corresponds to these requests.
Does anyone have any tips how we could investigate this in greater detail?
Thanks, Steven