Am currently battling error 403 forbidden in my partner center API requests and am unable to know what i might be missing or doing wrong.

I have followed Microsoft documentation but still same issue.

My End Goal

To be able to retrieve customers and view users in customer tenants that i manage and export the results into a csv file(same information visible in partner center under customer workspace) using partner center APIs. I'm using PowerShell to achieve this. Below is the endpoint URLs that is documented to call.

GET {version}/customers to list customers from partner center

GET /<customer-tenant-id> to list users in customer tenant from partner center

What i have done in my environment.

1. My partner center type is CSP, indirect provider - cloud reseller.

2. My account in partner center has Global admin, admin agents, sales agent roles(infact all available roles assigned)

3. I created an app registration of type Accounts in this anizational directory only (myname - Single tenant) and Redirect URI set to web

4. The app registration is assigned three delegated permission

5. I associated the app registration i created above inside partner center and assigned it Owner plus manager role ms doc

6. Am able to successfully authenticate to my partner center API thanks to support here, that is i can successfully get a refresh token, connect to partner center using the refresh token and even use the refresh token to generate a new access token(valid 90 days), which i can use as Bearer for REST API call

7. I can view my customers from the customers workspace in partner center using GUI.

Issue

When i run an API request to either of this endpoints GET or GET /<customer-tenant-id>, either using REST API flow or PowerShell SDK i get 403 forbidden.

$mynewtoken = "new token requested using refresh token"
$url = ";
$headers = @{
    "Authorization" = "Bearer $mynewtoken"
    "Accept"        = "application/json"

}

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response

or

$customers = Get-PartnerCustomer
$customers | ForEach-Object {
    Write-Output "Customer ID: $($_.CustomerId), Company Name: $($_.CompanyProfile.CompanyName)"
}

Am currently battling error 403 forbidden in my partner center API requests and am unable to know what i might be missing or doing wrong.

I have followed Microsoft documentation but still same issue.

My End Goal

To be able to retrieve customers and view users in customer tenants that i manage and export the results into a csv file(same information visible in partner center under customer workspace) using partner center APIs. I'm using PowerShell to achieve this. Below is the endpoint URLs that is documented to call.

GET https://api.partnercenter.microsoft/v{version}/customers to list customers from partner center

GET https://api.partnercenter.microsoft/v1/customers/<customer-tenant-id> to list users in customer tenant from partner center

What i have done in my environment.

1. My partner center type is CSP, indirect provider - cloud reseller.

2. My account in partner center has Global admin, admin agents, sales agent roles(infact all available roles assigned)

3. I created an app registration of type Accounts in this anizational directory only (myname - Single tenant) and Redirect URI set to web

4. The app registration is assigned three delegated permission

5. I associated the app registration i created above inside partner center and assigned it Owner plus manager role ms doc

6. Am able to successfully authenticate to my partner center API thanks to support here, that is i can successfully get a refresh token, connect to partner center using the refresh token and even use the refresh token to generate a new access token(valid 90 days), which i can use as Bearer for REST API call

7. I can view my customers from the customers workspace in partner center using GUI.

Issue

When i run an API request to either of this endpoints GET https://api.partnercenter.microsoft/v1/customers or GET https://api.partnercenter.microsoft/v1/customers/<customer-tenant-id>, either using REST API flow or PowerShell SDK i get 403 forbidden.

$mynewtoken = "new token requested using refresh token"
$url = "https://api.partnercenter.microsoft/v1/customers"
$headers = @{
    "Authorization" = "Bearer $mynewtoken"
    "Accept"        = "application/json"

}

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response

or

$customers = Get-PartnerCustomer
$customers | ForEach-Object {
    Write-Output "Customer ID: $($_.CustomerId), Company Name: $($_.CompanyProfile.CompanyName)"
}

• azure
• powershell
• microsoft-graph-api
• azure-powershell
• microsoft-partner-center

Share Improve this question Follow asked Mar 20 at 14:35 BernietechyBernietechy 34277 silver badges2323 bronze badges 4

• Check this stackoverflow/questions/78902051/… – Rukmini Commented Mar 21 at 7:20
• Can you create a security group and add the application as member and In Partner Center, you will need to ensure that this security group is assigned to each GDAP relationship and has at least one permissions like Global Admin, Privilege Role Admin, Cloud Application Admin Check this tminus365/my-automations-break-with-gdap-the-fix – Rukmini Commented Mar 21 at 7:36
• 1 Thank you @Rukmini for response, I just don't how this worked, but i was running my scripts with PowerShell elevated to admin, I reopened PowerShell as normal user and it was able to run without the forbidden error. ExecutionPolicy was also set to unrestricted. – Bernietechy Commented Mar 21 at 16:10
• Glad to know that it worked:) Can I post a answer so that it will help community – Rukmini Commented Mar 21 at 16:57

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Posting the answer to help community, to resolve the error execute the PowerShell script as a normal user and set the execution policy as unrestricted:

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

I am able to execute the script successfully:

$appId = "AppID"
$appSecret = ConvertTo-SecureString -String "Secret" -AsPlainText -Force
$tenantId = "TenantID" 
$credential = [PSCredential]::new($appId, $appSecret)

$tokenSplat = @{
    ApplicationId        = $appId
    Credential           = $credential
    Scopes               = "https://api.partnercenter.microsoft/user_impersonation"
    ServicePrincipal     = $true
    TenantId             = $tenantId
    UseAuthorizationCode = $true
}

$token = New-PartnerAccessToken @tokenSplat

$token.RefreshToken

$connectSplat = @{
    ApplicationId = $appId
    Credential    = $credential
    RefreshToken  = $token.RefreshToken
}

Connect-PartnerCenter @connectSplat

Get-PartnerRole