MS Graph API access client tenant with partner credentials

1
votes

I use the following PowerShell code to access MS Graph API. 

Import-Module MSOnline
$User = "UserName"
$Password = "Password"
$TenantName = "tenantname.onmicrosoft.com"
$clientId = "clientId"
$authority = "https://login.microsoftonline.com/$TenantName"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$AADCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $AdminUser, $Password
$resourceAppIdURI = "https://graph.microsoft.com"
$authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId,$AADCredential)

$authHeader = @{
    'Content-Type'='application\json'
    'Authorization'=$authResult.CreateAuthorizationHeader()
}
$uri = "https://graph.microsoft.com/beta/$TenantName/reports/getEmailActivityUserDetail(period='D7')"
Invoke-RestMethod -Uri $uri -Method Get -Headers $authHeader

It works fine when the user and tenant agree. What I would like to do is access our client tenants using an admin with delegated permissions. I've set the app to have Pre-consent permissions, which according to https://developer.microsoft.com/en-us/graph/docs/concepts/auth_cloudsolutionprovider should also allow the behaviour I am after. However, when I run the code with a partner admin credentials and client tenantname, I receive a 400 bad request error. What step am I missing here?

1
powershelloffice365microsoft-graph-api
Hi, it appears that this API doesn't currently support user or admin-delegated permissions.Dmitry Pimenov

1 Answers

1
votes

Per the documentation (see the important note at the beginning of the topic), for CSP pre-consent, only Directory and Intune resources in Microsoft Graph supports the partner model. Over time, more resources will support the partner/CSP model. Please create a request for this on UserVoice if this is important to you.

Hope this helps,