Accessing Partner Center customers via API

Question

First off, my question is equivalent to this post on the MS forums, but nobody has resolved it.

I am trying to get access to any API that allows me to view user counts for all our customers, Graph or Partner Center API.

My two basic requirements:

• Read the full list of customers from Partner Center
• Be able to use a single App credential to generate a Graph API access token for any Partner Center customer to access their user lists.

I've read the docs for the Partner Center API and I am following the REST authentication example, but the Partner Center API returns a 403 error no matter how I try to authenticate.

I am using OAuth 2.0 to authenticate with the https://login.microsoftonline.com/{tenantId}/oauth2/token route with grant_type: client_credentials and resource: https://graph.windows.net, as stated in the documentation linked above.

This successfully returns a token, however when I use that as Bearer for the https://api.partnercenter.microsoft.com/v1/customers route, I get a 403 Forbidden error.

I've also found this other token route that is not referenced in other documentation. When I try sending a POST to https://api.partnercenter.microsoft.com/generatetoken with this access token as bearer and grant_type: jwt_token, I get back {"error": "invalid_grant", "error_description": "Invalid authorization bearer is passed"}.

Answer 1

The error "The client application TenantID is missing service principal in the tenant CustomerTenantID" usually occurs if the Multitenant application is not present in the Customer Tenant as Service principal.

To access all tenants with the same application, check the below:

Assuming your tenant as TenantA and customer tenant as CustomerTenant

Created a multi-tenant application in TenantA by selecting "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" and grant User.Read.All Microsoft Graph API permission:

Now to resolve the error, make use of below endpoint and login with the CustomerTenant Global Admin account, so that it creates Service Principal in CustomerTenant*:

https://login.microsoftonline.com/CustomerTenantTenantID/adminconsent?client_id=ClientIDOFAPPinTenantA 

OR

https://login.microsoftonline.com/organizations/adminconsent?client_id=ClientIDOFAPPinTenantA 

Once, you click on Accept and go to CustomerTenant -> Enterprise applications -> Search the application:

The service principal is created in the CustomerTenant and the API permissions is granted:

Now generate the access token for Microsoft Graph API to access users of CustomerTenant

GET https://graph.microsoft.com/v1.0/users

Grant type: Authorization code 

Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL:  https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/organizations/oauth2/v2.0/token
Client ID : ClientID
Client Secret : ClientSecret
Scope: https://graph.microsoft.com/.default

I logged in with the CustomerTenant account and able to get the user details for the CustomerTenant successfully:

Now to test, I logged with TenantA account and got the users of TenantA :

• You can also directly generate the access token using CustomerTenant global admin account and you will get the consent screen to accept the permissions instead of creating the service principal by the endpoint.
• You can make use of refresh token model to access customers in Microsoft Partner Center. Refer this SO Thread by me.

References:

azure - Search User Information Across different Microsoft Tenants - Stack Overflow by Tiny Wang

azure - Is it possible to create a User (Microsoft Entra ID) for Tenant B from Tenant A? - Stack Overflow by me