Symptoms

Symptoms (Import of CSP Tenant Subscriptions)

The readCSPAccounts.py script, which collects data of CSP tenant subscriptions, fails with the following error:

2016-01-22 02:07:59.656 ERROR API Error:
2016-01-22 02:07:59.656 ERROR {
  "code": 500,
  "message": "The identity of the calling application could not be established.",
  "additionalNonlocalizableMessage": ""
}

Additionally, the following message is found in sitelog of the Office 365 application end-point:

2016-01-22 02:50:01,687 [ 196] ERROR aps_endpoint: System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Authorization_IdentityNotFound","message":{"lang":"en","value":"The identity of the calling application could not be established."}}}
StackTrace:    at System.Data.Services.Client.BaseAsyncResult.EndExecute[T](Object source, String method, IAsyncResult asyncResult)
   at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)

Symptoms (Synchronization of Changes from Microsoft Cloud)

A customer adds a domain through the Office 365 Portal. The customer runs synchronization. The synchronization of the domain from the Microsoft Cloud to Odin Automation fails and the following error appears in Customer Control Panel:

Error: Server error (HTTP Unauthorized: Unauthorized; The identity of the calling application could not be established.)

Cause

Tenant permissions are not set properly.

Resolution

  1. Prepare the following information:

    • AppPrincipalId - Client ID (AppID) from the settings of the corresponding Office 365 application instance.
    • TenantId - Reseller Tenant ID from the settings of the corresponding Office 365 application instance (for 'Import of CSP Tenant Subscriptions') or the identifier of the customer tenant (for 'Synchronization of Changes from Microsoft Cloud'). The identifier of the customer tenant can be obtained by using the Powershell cmdlet Get-MsolPartnerContract -DomainName DEFAULT_CUSTOMER_TENANT_DOMAIN. For example: Get-MsolPartnerContract -DomainName customer.onmicrosoft.com.
  2. Execute the following Powershell cmdlets:

    PS C:\> New-MsolServicePrincipal -DisplayName "Partner Center API" -AppPrincipalId <AppPrincipalId> -TenantId <TenantId>
    
    DisplayName           : Partner Center API
    <..>
    ObjectId              : 2429587c-b102-4d7d-a9a2-9752386db334
    <...>
    
    PS C:\> Add-MsolRoleMember -RoleName "Directory Readers" -TenantId <TenantId> -RoleMemberType ServicePrincipal -RolememberobjectID <ObjectId returned by previous cmdlet>