Search Engine: Elastic

Article ID: 129384, created on Sep 8, 2016, last review on Sep 8, 2016

  • Applies to:
  • Operations Automation 6.0


On attempt to import an existing Office 365 account by means of the script according to OA Office 365 Integration Guide it fails with the error:

2016-09-05 11:47:20.865 ERROR API Error:
2016-09-05 11:47:20.865 ERROR {
  "code": 500,
  "message": "The identity of the calling application could not be established.",
  "additionalNonlocalizableMessage": ""

When trying to apply KB128179 to resolve the issue, the command below fails:

PS C:\> New-MsolServicePrincipal -DisplayName "Partner Center API" -AppPrincipalId 123987f9-63fb-4118-ac9d-745ed43e5d9c -TenantId  91f38773-e620-436e-975c-12bd0489dc5a
The following symmetric key was created as one was not supplied 1qPvixHc1JKqr/+DqgXVwg8R8kpBACBpILV3d1lk8Bc=
New-MsolServicePrincipal : Unable to complete this action. Try again later.
At line:1 char:1
+ New-MsolServicePrincipal -DisplayName "Partner Center API" -AppPrincipalId 35054 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [New-MsolServicePrincipal], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Administration.Automation.NewServicePrincipal

The PowerShell error above basically means that such object already exists, but when trying to query this object in Microsoft Online Portal, it returns empty result:

PS C:\> Get-MsolServicePrincipal -TenantId 91f38773-e620-436e-975c-12bd0489dc5a | Where-Object -Property AppPrincipalId -eq -value "123987f9-63fb-4118-ac9d-745ed43e5d9c"
PS C:\>


The application with ID 123987f9-63fb-4118-ac9d-745ed43e5d9c was already registered in Azure AD, but not fully configured.


  1. Login to Microsoft Online Portal with corresponding Office 365 app instance credentials
  2. Click Admin tile
  3. On the left pane click Admin centers
  4. Click Azure AD
  5. Click Applciations on the upper menu:

  6. Filter applications by Applications my company owns and application ID which is actually AppPrincipalId (in this example 123987f9-63fb-4118-ac9d-745ed43e5d9c):

  7. Click the application and go to the Users tab. A warning message "Admin consent is required prior to assigning users and groups. You can consent via the application by clicking here:" will be displayed. Click Reconsent:

  8. Make sure that principal object is returned now by the command as below:

    PS C:\> Get-MsolServicePrincipal -TenantId 91f38773-e620-436e-975c-12bd0489dc5a | Where-Object -Property AppPrincipalId -eq -value "123987f9-63fb-4118-ac9d-745ed43e5d9c"
    ExtensionData         : System.Runtime.Serialization.ExtensionDataObject
    AccountEnabled        : True
    Addresses             : {}
    AppPrincipalId        : 123987f9-63fb-4118-ac9d-745ed43e5d9c
    DisplayName           : Partner Center API
    ObjectId              : 373cb26c-f47f-443d-9e1f-80937abf2c91
    ServicePrincipalNames : {, 123987f9-63fb-4118-ac9d-745ed43e5d9c}
    TrustedForDelegation  : False
  9. Make sure that the principal is a member of Directory Readers role:

    PS C:\> Get-MsolRole -RoleName "Directory Readers" -TenantId f593b7a5-7fc3-4fca-89b9-93a090b2e29b | select ObjectId
    PS C:\> Get-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -TenantId 91f38773-e620-436e-975c-12bd0489dc5a | select displayname
    Partner Center API
  10. Retry importing CSP accounts.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF