powerplatform-build-tools icon indicating copy to clipboard operation
powerplatform-build-tools copied to clipboard
verified publisher icon microsoft

Solution Checker Doesn't work for GCCH - AADSTS65002 Microsoft First Party Application must be Preauthorized.

Open ryanperrymba opened this issue 1 year ago • 2 comments

Describe the bug Pac Solution Checker returns Consent AADSTS65002 error in GCCH.

Error: AADSTS65002: Consent between first party application '9cee029c-6210-4654-90bb-17e6e9d36617' and first party resource 'c9299480-c13a-49db-a7ae-cdfe54fe0313' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 48ff82b8-c5f6-4e6c-ba2a-14638d3a5e00 Correlation ID: 01d01e9b-ea3b-475f-9f53-b14606529b6d Timestamp: 2024-09-09 19:12:32Z

To Reproduce

#Authenticate using GCCH
pac auth create --name PMagDef --cloud UsGovHigh

#Run Sln Checker - also GCCH - Noting --cloud vs --geo differences.
pac solution check --path SomePackage.zip --geo USGovernmentL4
##OR## 
pac solution check --path SomePackage.zip --customEndpoint "high.api.advisor.powerapps.us"

**Expected behavior**
Solution Checker should run.

Desktop (please complete the following information):

  • Have also run pac install latest to verify up to date. On 1.34.4+gbc332

Additional context

  • Have tried this in two separate GCCH tenants, and cannot find any documentation clarifying how to preauthorize the app ID.
  • Possibly due to MSFT's own internal app IDs being changed or not authorized for GCCH? https://learn.microsoft.com/en-us/answers/questions/962674/401-aadsts65002-when-trying-to-authenticate-with-a
  • Note the --geo options do not match between Pac Auth Create and Pac Solution Check. CREATE includes --cloud UsGovernmentHigh, whereas Pac Solution Check uses --geo 'UsGovernmentHigh'
  • I've also tried this using --customendpoint
  • Have not tested to see if this works with a dedicated service principal.

Who is the 'API Owner' ?

  • Power Platform Solution Checker Service IE MSFT?
  • PAC Team - IE MSFT?
  • Target Environment - IE Client, but given this is the solution checker, not a specific Tenant / Env, this seems unlikely. Solution Import/Export work fine. But if so, how do we authorize it?

See also: https://github.com/microsoft/powerplatform-build-tools/issues/542 May not be exact same issue, but addressing will likely resolve Craig Lunds's issue too.

ryanperrymba avatar Sep 09 '24 21:09 ryanperrymba

Update: Creating my own app registration and giving it the PowerApps-Advisor permission works.

See: https://learn.microsoft.com/en-us/power-apps/maker/data-platform/common-issues-resolutions-solution-checker#solution-checker-fails-due-to-disabled-first-party-application-in-microsoft-entra-id

ryanperrymba avatar Sep 09 '24 23:09 ryanperrymba

Blog Write-Up for anyone else who runs into this: Pac Solution Check Error AADSTS65002

ryanperrymba avatar Sep 18 '24 23:09 ryanperrymba