The automated call to consent the mission 65 application to the customer tenant with id XXXX and domain XXXXX failed with error code: 400 message odata.error Insufficient privileges to complete the operation

[Simon-Syd]

hello, we have set up the tool, it was smooth thanks for the documentation ! but now when I want to retrieve data using the number 2 : ` >> Partner center connection << [Token] Requesting the user to log in with their CSP user account.. Authenticate through the pop-up window to proceed with the process. [Partner center] Connecting to partner center. [Partner center] Retrieving partner customers.. [Partner center] A total of [197] customers have been found on partner center.

>> Getting all Azure Customers <<
[Azure Customers] Getting all the Azure Customers from the Partner Customers..
[Azure Customers] A total of [1] Azure customers have been found on partner center.

>> SPN consent on partner customers <<
[SPN consent] Granting admin consent for multi-tenant SPN for all [1] Azure customers..

>> Partner center customer details <<
[Customer details] Retrieving partner center customer details..

>> Azure data retrieval <<
[Azure data] Retrieving Azure data.

>> Data output <<
[Output] Writing the required files to disk in the directory this script is executed..
File [AzureSubscriptions.json] was empty
File [SecureScores.json] was empty
File [SecureScoreControls.json] was empty

>> The CSP data retrieval process has finished <<
Find your files in the 'data' folder under the directory from which you executed this script.
For feedback or questions go to [https://github.com/dexmach-csp/azure-csp-securescore/issues].`

I have the confirmation that the GDAP is active on the customer tenant :

so I don't know what privileges is missing here to complete the operation ?

I can see on the other "issue.json" this error : AADSTS65001: The user or administrator has not consented to use the application with ID '45532e07-606c-448d-b47b-95a07358ab26' named 'DexMach CSP Secure Score dashboard'. Send an interactive authorization request for this user and resource

does this message mean we need to deploy this application on each Azure Tenant for each customer ?

[BramPeelman]

Can you verify that the SPN is consented in Azure AD?

Is the SPN created with a user account for example with RBAC permissions 'Application Administrator'?

[Simon-Syd]

thanks for your answer. you mean we need to set the permission to "Application administrator" when we are doing the GDAP ? because on my tenant, the application "DexMach CSP Secure Score dashboard" do have admin consent

[BramPeelman]

I mean when you created initially the SPN via 'nr 1' was it with an account on the Azure tenant with for example application administrator or global admin rights?

Also did you create a secret on the application registration?

[Simon-Syd]

I'm kind of lost ! I've created on my own tenant the application + secret, with admin consent like here : https://github.com/dexmach-csp/azure-csp-securescore/blob/main/docs/app_registration.md So yes I created the SPN with the 1st choice, with an admin account of my tenant

[BramPeelman]

Hi Simon,

Maybe it is better to have a short call for this topic?

[Simon-Syd]

hello ! yes it would be nice ! my email is my name at syd dot fr

[BramPeelman]

Hi Simon,

Small recap from the meeting yesterday. So the issue is that the relationship between your account and partner center isn't correct. You don't see any Azure subscription in the partner center, so this is the reason that you cannot extract data. As soon as the relationship is setup properly you would be able to extract data.