Symptoms
On attempt to import an existing Office 365 account by means of the script readCSPAccounts.py according to OA Office 365 Integration Guide it fails with the error:
2016-09-05 11:47:20.865 ERROR API Error:
2016-09-05 11:47:20.865 ERROR {
"code": 500,
"message": "The identity of the calling application could not be established.",
"additionalNonlocalizableMessage": ""
}
When trying to apply KB128179 to resolve the issue, the command below fails:
PS C:\> New-MsolServicePrincipal -DisplayName "Partner Center API" -AppPrincipalId 123987f9-63fb-4118-ac9d-745ed43e5d9c -TenantId 91f38773-e620-436e-975c-12bd0489dc5a
The following symmetric key was created as one was not supplied 1qPvixHc1JKqr/+DqgXVwg8R8kpBACBpILV3d1lk8Bc=
New-MsolServicePrincipal : Unable to complete this action. Try again later.
At line:1 char:1
+ New-MsolServicePrincipal -DisplayName "Partner Center API" -AppPrincipalId 35054 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [New-MsolServicePrincipal], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Administration.Automation.NewServicePrincipal
The PowerShell error above basically means that such object already exists, but when trying to query this object in Microsoft Online Portal, it returns empty result:
PS C:\> Get-MsolServicePrincipal -TenantId 91f38773-e620-436e-975c-12bd0489dc5a | Where-Object -Property AppPrincipalId -eq -value "123987f9-63fb-4118-ac9d-745ed43e5d9c"
PS C:\>
Cause
The application with ID 123987f9-63fb-4118-ac9d-745ed43e5d9c
was already registered in Azure AD, but not fully configured.
Resolution
- Login to Microsoft Online Portal with corresponding Office 365 app instance credentials
- Click Admin tile
- On the left pane click Admin centers
- Click Azure AD
Click Applciations on the upper menu:
Filter applications by Applications my company owns and application ID which is actually AppPrincipalId (in this example
123987f9-63fb-4118-ac9d-745ed43e5d9c
):Click the application and go to the Users tab. A warning message "Admin consent is required prior to assigning users and groups. You can consent via the application by clicking here:" will be displayed. Click Reconsent:
Make sure that principal object is returned now by the command as below:
PS C:\> Get-MsolServicePrincipal -TenantId 91f38773-e620-436e-975c-12bd0489dc5a | Where-Object -Property AppPrincipalId -eq -value "123987f9-63fb-4118-ac9d-745ed43e5d9c" ExtensionData : System.Runtime.Serialization.ExtensionDataObject AccountEnabled : True Addresses : {} AppPrincipalId : 123987f9-63fb-4118-ac9d-745ed43e5d9c DisplayName : Partner Center API ObjectId : 373cb26c-f47f-443d-9e1f-80937abf2c91 ServicePrincipalNames : {https://csp123.onmicrosoft.com/9d4572f8-aa42-489d-be9a-ab5c9fb0688a, 123987f9-63fb-4118-ac9d-745ed43e5d9c} TrustedForDelegation : False
Make sure that the principal is a member of Directory Readers role:
PS C:\> Get-MsolRole -RoleName "Directory Readers" -TenantId f593b7a5-7fc3-4fca-89b9-93a090b2e29b | select ObjectId ObjectId -------- 88d8e3e3-8f55-4a1e-953a-9b9898b8876b PS C:\> Get-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -TenantId 91f38773-e620-436e-975c-12bd0489dc5a | select displayname DisplayName ----------- Microsoft.YammerEnterprise Partner Center API
- Retry importing CSP accounts.