How to debug failing application consent requests in the Secure Application Model flow

steven-mspvalley 0 Reputation points
2023-10-11T11:08:52.29+00:00

Hi,

We've been implementing the Secure Application Model Flow with varying success. Our goal is to access the customer tenants on behalf of the CSP partner. The step that regularly fails is the step where we grant consent to our application on behalf of the customer.

Once this request to the Partner Center API /applicationconsents endpoint starts failing for a customer tenant, it seems we can never get it back to a working state, and keep receiving the following response.

Even after recreating everything (the application, the service account and a new GDAP relationship), we keep getting the same error.

For some customers our implementations works just fine, for others it doesn't - or even stops working after a while.

This is the request:

POST https://api.partnercenter.microsoft.com/v1/customers/customer tenant id/applicationconsents
{
    "DisplayName": "Partner App Name",
    "ApplicationId": "partner app/client id",
    "ApplicationGrants": [
        {
            "EnterpriseApplicationId": "00000003-0000-0000-c000-000000000000",
            "Scope": "Directory.Read.All,User.Read,Organization.Read.All"
        }
    ]
}

and the response is like this:

{
    "code": 400,
    "message": "{\r\n  \"error\": {\r\n    \"code\": \"Authorization_RequestDenied\",\r\n    \"message\": \"Insufficient privileges to complete the operation.\",\r\n    \"innerError\": {\r\n      \"date\": \"2023-10-11T10:17:55\",\r\n      \"request-id\":         \"f283169e-f664-4f6e-8b83-047f403ab8ad\",\r\n      \"client-request-id\": \"f283169e-f664-4f6e-8b83-047f403ab8ad\"\r\n    }\r\n  }\r\n}",
    "description": "{\r\n  \"error\": {\r\n    \"code\": \"Authorization_RequestDenied\",\r\n    \"message\": \"Insufficient privileges to complete the operation.\",\r\n    \"innerError\": {\r\n      \"date\": \"2023-10-11T10:17:55\",\r\n      \"request-id\":         \"f283169e-f664-4f6e-8b83-047f403ab8ad\",\r\n      \"client-request-id\": \"f283169e-f664-4f6e-8b83-047f403ab8ad\"\r\n    }\r\n  }\r\n}",
    "errorName": "BadRequest",
    "isRetryable": false,
    "parameters": {}
}

Unfortunately, this does not help us very much. Does anyone know how we can find out the reason for this Authorization_RequestDenied error?

We have double checked the user permissions, the application permissions and the GDAP roles that are assigned, and they should be correct. They worked before so we're fairly sure it's all set up correctly.

We are working according to the instructions found here: https://learn.microsoft.com/en-us/partner-center/developer/gdap-and-secure-application-model#use-of-an-admin-account-to-provide-consent-on-behalf-of-users-in-the-secure-application-model

Where could we go and find more information about these request-id's that are referenced in the output, for example? We checked our Audit Logs in Microsoft Entra, but there's no event logged there that corresponds to these requests.

Does anyone have any tips how we could investigate this in greater detail?

Thanks, Steven

Microsoft Partner Center API
Microsoft Partner Center API
Microsoft Partner Center: A Microsoft website for partners that provides access to product support, a partner community, and other partner services.API: A software intermediary that allows two applications to interact with each other.
317 questions
0 comments No comments
{count} votes