Share via

Sharepoint scopes not working throught a GDAP application consent

Etienne Lepage Lepitre 5 Reputation points
2024-05-23T13:01:39.05+00:00

Hi, we have a problem when getting SharePoint settings through a GDAP relationship consent. Here's the flow we are using:

  • Partner consent to an app with the scope https://api.partnercenter.microsoft.com/user_impersonation and offline_access
  • Using the ApplicationConsents endpoint and the partner access token, we consent for one of its GDAP tenants (with a Global Admin Relationship) to the same app with the scope https://graph.microsoft.com/SharePointTenantSettings.Read.All
  • We then get a token for the GDAP tenants using the refresh token of the partner and the SharePointTenantSettings.Read.All. The token has the scope in its claims.
  • Using the GDAP tenant token we try to make a call to the graph endpoint /admin/sharepoint/settings and we get this error: 401 There has been an error authenticating the request.

The token seems to have the right scope and application role :

User's image

When trying to consent with the same app and same scope directly to the tenant (by using the auth code flow), we don't have the error when calling the /admin/sharepoint/settings graph endpoint.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,513 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
11,230 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.