Global admin don't see subscription with GDAP

I am an indirect reseller (Tier 2) and I recently ordered an Azure subscription from our Indirect provider for our existing customer's tenant with approved GDAP roles but when I entered service management via Partner Center and open Azure Portal I didn't see any subscription available. 

The subscription was deployed and I saw it when I was using the Global Admin account in the customer's tenant (domain .onmicrosoft.com). At the same time, I was unable to see the same subscription with the GDAP technician account. This was a decent blocker.

I was expecting I could solve it myself because what else than double Global admin would be needed? It ended up with the indirect provider being the side to fix it by making the subscription accessible. The keyword for the whole operation is "include the indirect reseller".

Partner with indirect resellers in the Cloud Solution Provider program - Partner Center | Microsoft Learn

Well, I thought at first it would be enough. But no, still no change. The next keyword to follow is "AOBO" which stands for 'Admin on Behalf of' and it is briefly explained in the article:

Workloads supported by granular delegated admin privileges (GDAP) - Partner Center | Microsoft Learn

But what I found explaining even better was this CSP dev video (from 17:45 onwards).

Subscription owner role needs to be set via Powershell (only) for a groupID that exists with AdminAgents GDAP role in Tier2's PartnerCenter by a user with global admin or similar elevated permissions based on the customer's tenant.

The commands are following

1. Install-Module -Name AzureAD
2. Connect-AzureRmAccount
3.  Get-AzureRmSubscription
4. New-AzureRmRoleAssignment

So good old Powershell only magic in Azure. After configuring that the subscription is normally visible to all Partner tenant users so I could get back to the actual assignment.

Note: if you don't see subscription even with the customer tenant account then you might want to use this elevation trick in Entra:

Remote Desktop client login loop

I was experiencing issue with Remote Desktop app (with orange icon) for accessing AVD workspace. It was working in browser version, it was working on my iPad but I was unable to login from my private Windows PC.

I got into the workspace resources with my username and password in email format but RDP was not initiating and looping in login prompt:

the username and password used to connect to the remote resource didn't work

What I found was the source of problem: I had installed RDS client from Microsoft Store "Windows Store Remote Desktop app" but version from there is not working with AVD and Windows Server 2019. I had to get MSI installer and proceed with that. After that all worked smoothly.

Web client: https://client.wvd.microsoft.com/arm/webclient/

Windows client download: https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-windows (get MSI package)  

Other platforms link: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients

Universal workspace URL: https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery

That's all, I hope it helped :)

Microsoft Dynamics Office Add-in error AADSTS650057

Business Central Excel add-in alias Microsoft Dynamics Office Add-in allows users to read, analyze, and edit data from Microsoft Dynamics systems and publish data changes back to Microsoft Dynamics OData services. 

I had two instances where one was reporting an error AADSTS650057:

Invalid resource. The client has requested access to a resource
which is not listed in the requested permissions in the client's
application registration.

Client app ID: {appId}({appName}).

Resource value from request: {resource}.

Resource app ID: {resourceAppId}.

List of valid resources from app registration: {regList}.

Official documentation: 

• plugin download / plugin download
• official config guide
  
• update guide
  

How to debug it? First to find all mentioned App registrations and Enterprise apps in Microsoft Entra and find the configuration especially IDs. Note that AppId is matching with App Id URI.

Open Business Central console and compare what values are set there. Two different app IDs are set

 

What is in the values?

Endpoint URI: https://login.microsoftonline.com/<tenantID>/wsfed?wa=wsignin1.0%26wtrealm=api://<appRegNonExcel>%26wreply=https://<BCurl>/SignIn

Metadata location: https://login.microsoftonline.com/<tenantID>/federationmetadata/2007-06/federationmetadata.xml

So if here is all correct but you have still problem let's check permissions on the App registrations side.

The main BC app reg needs to have exposed API with API.ReadWrite.All permission

v

 

And when this is done, it is possible to add  permissions to "excel App registrations"

Delegated admin permissions must be granted and consented from the previously mentioned app registration to this one. If you cannot see the previous app in the list, you didn't publish it properly.

 

After settings all this correctly the login from Excel add-in proceeded to login screen without error page.

I hope this helped.