I need to return the list of customers from Microsoft partner center using graph and powershell when i run my code i get a 403 forbidden error message below:

Steps i have taken to provision the app registration in microsoft entra:

1. Created an app registration(Accounts in this anizational directory only (myname Ltd only - Single tenant))
2. Under API permission, when i click add permission there is a tab to choose APIs my anization uses i selected it and searched for microsoft partner then added the three results as delegated permission and properly granted admin consent.

The redirect URI i chose mobile and desktop application then typed http://localhost

The account am using is global admin in microsoft 365 and in partner center it has below permissions

The code seems to return the error code when i make request for the customers list endpoint. I don't want to use SDK, is there another way to correct the error? Below is my code

$appId = ""
$appSecret = ""
$tenantId = ""

# Partner Center API Configuration
$scope = "/.default"

$tokenUrl = "/$tenantId/oauth2/token"

$body = @{
    grant_type    = "client_credentials"
    scope = $scope
    client_id     = $appId
    client_secret = $appSecret
    resource      = ";
}

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -Body $body -ContentType "application/x-www-form-urlencoded"
$AccessToken =  $response.access_token


$url = ";
$headers = @{
    "Authorization" = "Bearer $AccessToken"
    "Accept"        = "application/json"
}

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response.items

Upon using partner center SDK to generate the access token using this code below i get this error: even following this article msdoc

$appId = "xxx"
$secretvalue = "xxx"
$tenantId = "xxx" 
$appSecret = ConvertTo-SecureString -String $secretvalue -AsPlainText -Force
$credential = [PSCredential]::new($appId, $appSecret)

$tokenSplat = @{
    ApplicationId        = $appId
    Credential           = $credential
    Scopes               = ";
    ServicePrincipal     = $true
    TenantId             = $tenantId
    UseAuthorizationCode = $true
}

$token = New-PartnerAccessToken @tokenSplat

$tokenval = $token.RefreshToken
$tokenval

error i get

I need to return the list of customers from Microsoft partner center using graph and powershell when i run my code i get a 403 forbidden error message below:

Steps i have taken to provision the app registration in microsoft entra:

1. Created an app registration(Accounts in this anizational directory only (myname Ltd only - Single tenant))
2. Under API permission, when i click add permission there is a tab to choose APIs my anization uses i selected it and searched for microsoft partner then added the three results as delegated permission and properly granted admin consent.

The redirect URI i chose mobile and desktop application then typed http://localhost

The account am using is global admin in microsoft 365 and in partner center it has below permissions

The code seems to return the error code when i make request for the customers list endpoint. I don't want to use SDK, is there another way to correct the error? Below is my code

$appId = ""
$appSecret = ""
$tenantId = ""

# Partner Center API Configuration
$scope = "https://api.partnercenter.microsoft/.default"

$tokenUrl = "https://login.microsoftonline/$tenantId/oauth2/token"

$body = @{
    grant_type    = "client_credentials"
    scope = $scope
    client_id     = $appId
    client_secret = $appSecret
    resource      = "https://api.partnercenter.microsoft"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -Body $body -ContentType "application/x-www-form-urlencoded"
$AccessToken =  $response.access_token


$url = "https://api.partnercenter.microsoft/v1/customers"
$headers = @{
    "Authorization" = "Bearer $AccessToken"
    "Accept"        = "application/json"
}

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response.items

Upon using partner center SDK to generate the access token using this code below i get this error: even following this article msdoc

$appId = "xxx"
$secretvalue = "xxx"
$tenantId = "xxx" 
$appSecret = ConvertTo-SecureString -String $secretvalue -AsPlainText -Force
$credential = [PSCredential]::new($appId, $appSecret)

$tokenSplat = @{
    ApplicationId        = $appId
    Credential           = $credential
    Scopes               = "https://api.partnercenter.microsoft/user_impersonation"
    ServicePrincipal     = $true
    TenantId             = $tenantId
    UseAuthorizationCode = $true
}

$token = New-PartnerAccessToken @tokenSplat

$tokenval = $token.RefreshToken
$tokenval

error i get

• azure
• office365
• azure-authentication
• microsoft-partner-center

• To resolve the issue, try to generate access token using v1.0 endpoint and make sure to associate a Microsoft Entra application with your Partner Center account. Refer this MsDoc for more details learn.microsoft/en-us/partner-center/marketplace-offers/… – Rukmini Commented Mar 14 at 10:06
• I have my tenant and the app registration associated in partner center. The app already has manager role assigned. After changing the api version from 1 to 3 i get 404 not found. please check above the error i get even after using SDK to generate the access token. Please check above the error am getting when after using SDK to get the access token. – Bernietechy Commented Mar 14 at 11:16
• How is this related to the Graph API? – user2250152 Commented Mar 14 at 13:58
• Please am not sure what you mean? @user2250152 – Bernietechy Commented Mar 14 at 14:13

1 Answer 1

Initially, I specified the redirect URI as mobile and desktop application, then inserted ‘http://localhost’ in authentication and changed the authorized public client flow to Yes, and I received the same error.

Response:

After that, I removed the Mobile and Desktop Application option, selected Web, entered http://localhost as the Redirect URI, and changed “Allow Public Client Flows” to “No”.

I successfully ran the PowerShell script without any errors and received an access token.