mirror of
https://github.com/KelvinTegelaar/CIPP.git
synced 2026-04-25 08:16:01 +03:00
[GH-ISSUE #2851] Unauthorized calls to licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products from several apps #1409
Labels
No labels
API
Feature
NotABug
NotABug
Planned
Sponsor Priority
Sponsor Priority
bug
documentation
duplicate
enhancement
needs more info
no-activity
no-priority
not-assigned
pull-request
react-conversion
react-conversion
roadmap
security
stale
unconfirmed-by-user
unconfirmed-by-user
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/CIPP#1409
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @okonaraddi-msft on GitHub (Aug 22, 2024).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/2851
Description
Hello! I'm from the team within Microsoft that owns the endpoint
licensing.m365.microsoft.com. Starting on Monday, August 19th, we started seeing a recurring spike of 403'ed calls to the following APIs from several different apps.PUT https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products/{productId}
GET https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products
We believe the calls are originating from "CIPP-SAM" apps and we see the above APIs appear in the CIPP-API repository. Could you share the motivation behind CIPP calling the above APIs?
This will help us understand how to proceed.
Environment data
@github-actions[bot] commented on GitHub (Aug 22, 2024):
Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://docs.cipp.app/
If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug."
Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!".
@okonaraddi-msft commented on GitHub (Aug 22, 2024):
I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.
@KelvinTegelaar commented on GitHub (Aug 22, 2024):
Hi Omkar,
This is a procedure that runs inside of CIPP to disable Self service licensing for all managed tenants. The 403s can happen when the user hasn't set their own permissions correctly but have enabled the procedure, we'll see if we can have a cleaner fail/check by next release.
@JohnDuprey commented on GitHub (Aug 22, 2024):
Hey @okonaraddi-msft, we have a Standard in CIPP to disable self-service licensing. Were there any permission changes recently that would have broken this?
This is the code behind the standard:
https://github.com/KelvinTegelaar/CIPP-API/blob/master/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1
@JohnDuprey commented on GitHub (Aug 22, 2024):
@okonaraddi-msft - Would it be possible to get an Application permission that allows us the ability to manage these settings? From the looks of it, the role requirement is now being enforced and Billing Administrator is not in our recommended GDAP roles.
Ideally we would like to be able to do this without having everyone create new GDAP relationships.
@rvdwegen commented on GitHub (Aug 22, 2024):
@okonaraddi-msft
One thing that would help is if the API could expose an application context permission that would allow management of the self service status.
Right now we have to work through GDAP, per your teams documentation the role requirements for the module/API are either Global Administrator or Billing Administrator. The use of Global Administrator is being heavily discouraged by Microsoft so it isn't a viable avenue and billing administrator is a role that is not present in the GDAP relationships most of our users have with customers because there was no prior need for it.
If we could use an application context permission instead it should vastly decrease the amount of 403s.
@KelvinTegelaar commented on GitHub (Aug 29, 2024):
This Feature Request is being closed as we are having a development stop for our frontend rewrite. We will reopen feature requests when this has been performed.
@okonaraddi-msft commented on GitHub (Aug 31, 2024):
@JohnDuprey @rvdwegen @KelvinTegelaar
We recommend following our public documentation on disabling self-service policy using our powershell module Manage self-service purchases and trials (for admins) | Microsoft Learn. The
licensing.m365.microsoft.comendpoint is a public endpoint intended for Microsoft first party callers. We don’t recommend calling it directly. If you continue to call that endpoint, you’re calling at your own risk because we don't have a SLA with third party callers. Third party calls tolicensing.m365.microsoft.commay be blocked without prior notice from our end.@JohnDuprey commented on GitHub (Aug 31, 2024):
@okonaraddi-msft Is it possible to use your PowerShell module with GDAP? The CIPP user base is comprised of MSPs that have tens to hundreds of customers (or more). Our standards allow them to apply changes at scale and minimize their labor on such a task. It can be the difference between 10 minutes and an entire work day.