401 / AADSTS65002 when trying to authenticate with api.partner.microsoft.com

Question

I'm trying to call the partner center pricesheet API and getting this error:
Response status: 401 failed to authorize : AADSTS65002: Consent between first party application 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' and first party resource '00000002-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 5fcef1ca-f9c3-4a07-aee3-3eb2261b4300 Correlation ID: 05c32831-f9e3-4d9c-a0b1-1b497bc57713 Timestamp: 2022-08-10 15:06:27Z (invalid_grant)
Token is generated with a secret and with these params:
Authority: "https://login.microsoftonline.com/5c0d2242-8740-49a1-9284-8dbb6365df6e",
ClientID: "99e19587-02aa-4a33-86ff-9d7ebf22feb2"
Scopes: ["https://api.partner.microsoft.com/.default"]

Answer 1

Hi @Anonymous , from the troubleshooting guide:

"Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in https://portal.azure.com."

Please check your App IDs and make sure they are not reused. Also, please review this thread for more information on how to fix this.

Please let me know if you have any other questions and I can help you further.

If this answer helped you please mark it as "Verified" so other users can reference it.
Thank you,
James

Answer 2

I my case someone had replaced my registered application in the partner portal, resulting in a very simular error message.

I use Application only, so not using any scopes.

Please check if your application is still registered there.

Answer 3

You should use the user authentication flow from the Microsoft Secure App Model.
We did not manage to get it working using the Application way.

mxPyy.png

So my advise would be to create an account, get the refreshtoken and create access tokens using the refreshtoken.
This account should be Admin Agent and the refreshtoken have a validation period of 90 days, so refresh them occasionally.

You can use this code to get an access token from an existing refresh token:

` Function Get-NewAccessTokenWithRefreshToken{
Param
(
[Parameter(Position = 0, Mandatory = $false)]
[string]
$Scope = "openid offline_access email user.read profile",

    [Parameter(Position = 1, Mandatory = $true)]  
    [string]  
    $ClientID = "",  
  
    [Parameter(Position = 2, Mandatory = $true)]  
    [string]  
    $ClientSecret = "",  
  
    [Parameter(Position = 3, Mandatory = $true)]  
    [string]  
    $RedirectUri = "",  
  
    [Parameter(Position = 4, Mandatory = $true)]  
    [string]  
    $RefreshToken = ""  
)  
  
$body = @{client_id=$ClientID  
scope=$Scope  
refresh_token=$RefreshToken  
redirect_uri=$RedirectUri  
grant_type="refresh_token"  
client_secret=$ClientSecret  
}  
  
$request = Invoke-WebRequest -Method POST -ContentType "application/x-www-form-urlencoded" -Uri "https://login.microsoftonline.com/common/oauth2/v2.0/token" -Body $body  
$parsed = $request.Content | ConvertFrom-Json  
Write-Output "---Here is your access token---"  
$parsed.access_token  
Write-Output "---Here is your refresh token---"  
$parsed.refresh_token  
  
  
}  

`