TEAM: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
ENVIRONMENT: Office 365 Exchange Online, Microsoft Partner Center
SUMMARY: Error AADSTS650052 often indicates a lack of permissions. Review the below for specific steps on correcting the error.
Direct Mapping but throws error
If you are trying to direct (manually) map and it throws this error and does not create the tenant, please run the following PowerShell and then attempt to remap.
Steps to resolve:
From an Administrator elevated Windows PowerShell session
Install-Module AzureAD
Connect-AzureAD
New-AzureAdServicePrincipal -AppId "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd"
Office 365 Exchange Online
AADSTS650052: The app is trying to access a service '00000002-0000-0ff1-ce00-000000000000'(Office 365 Exchange Online) that your organization '00000000-0000-0000-0000-000000000000' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal. Trace ID: 30ea1b71-bd3f-4a0e-bfdd-a0c3e31c9c00 Correlation ID: 7ac5a0b8-5a79-453d-8967-65bbd0aa40e7 Timestamp: 2023-06-11 17:18:22Z
Why? There are no Exchange Service Principles in the Partner Account
At this time there are no steps to resolve.
Integration will still be possible via Manual Mapping
Microsoft Partner Center
AADSTS650052: The app is trying to access a service 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd'(Microsoft Partner Center) that your organization '00000000-0000-0000-0000-000000000000' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal. Trace ID: 03f87c53-2a4f-4683-8d31-fb859f997200 Correlation ID: 96ce4bb7-c437-4efd-b191-314da1b2cc5c Timestamp: 2023-06-06 21:14:19Z
Why? The Huntress app is looking for Partner Center permissions
Steps to resolve:
From an Administrator elevated Windows PowerShell session
Install-Module AzureAD
Connect-AzureAD
New-AzureAdServicePrincipal -AppId "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd"
If the tenant in question is (direct) or (upstream), unmap the Tenant and recreate the mapping.
