Article ID: 128179, created on Jan 27, 2016, last review on Jun 21, 2016

  • Applies to:
  • Operations Automation 6.0

Symptoms

Symptoms (Import of CSP Tenant Subscriptions)

The readCSPAccounts.py script, which collects data of CSP tenant subscriptions, fails with the following error:

2016-01-22 02:07:59.656 ERROR API Error:
2016-01-22 02:07:59.656 ERROR {
  "code": 500,
  "message": "The identity of the calling application could not be established.",
  "additionalNonlocalizableMessage": ""
}

Additionally, the following message is found in sitelog of the Office 365 application end-point:

2016-01-22 02:50:01,687 [ 196] ERROR aps_endpoint: System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Authorization_IdentityNotFound","message":{"lang":"en","value":"The identity of the calling application could not be established."}}}
StackTrace:    at System.Data.Services.Client.BaseAsyncResult.EndExecute[T](Object source, String method, IAsyncResult asyncResult)
   at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)

Symptoms (Synchronization of Changes from Microsoft Cloud)

A customer added a domain through the Office 365 Portal. The customer runs synchronization. Synchronization of the domain from the Microsoft Cloud into Odin Automation fails and the following error appears in Customer Control Panel:

Error: Server error (HTTP Unauthorized: Unauthorized; The identity of the calling application could not be established.)

Cause

Tenant permissions are not set properly.

Resolution

  1. Prepare the following information:

    • AppPrincipalId - Client ID (AppID) from the settings of the corresponding Office 365 application instance.
    • TenantId - Reseller Tenant ID from the settings of the corresponding Office 365 application instance (for 'Import of CSP Tenant Subscriptions') or the identifier of the customer tenant (for 'Synchronization of Changes from Microsoft Cloud'). The identifier of the customer tenant can be obtained by using the Powershell cmdlet Get-MsolPartnerContract -DomainName DEFAULT_CUSTOMER_TENANT_DOMAIN. For example: Get-MsolPartnerContract -DomainName customer.onmicrosoft.com
  2. Execute the following Powershell cmdlets:

    PS C:\> New-MsolServicePrincipal -DisplayName "Partner Center API" -AppPrincipalId <AppPrincipalId> -TenantId <TenantId>
    
    DisplayName           : Partner Center API
    <..>
    ObjectId              : 2429587c-b102-4d7d-a9a2-9752386db334
    <...>
    
    PS C:\> Add-MsolRoleMember -RoleName "Directory Readers" -TenantId <TenantId> -RoleMemberType ServicePrincipal -RolememberobjectID <ObjectId returned by previous cmdlet>
    

Search Words

Internal server error

import tenants results in error

Tenant cannot be imported due to limited role

"The identity of the calling application could not be establised"

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF