question

Danny-0581 avatar image
0 Votes"
Danny-0581 asked ·

Process for ISV Azure AD application registration

Hi,

We are currently selling some Microsoft Dynamics ISV solutions (Finance and Operations, Sales etc.) that uses OAuth 2.0 Client Credentials Grant Flow to communicate between our ISV solutions on these Microsoft hosted products.
Authorization Code Grant Flow (only user-level permissions) are also used for our desktop applications (native apps) which the customers installs locally and uses to communicate with our ISV solutions on the Microsoft hosted products.

Initially, the customers wanted to setup the application registration themselves in their Azure AD, so that was part of the standard setup.
But now we are getting customers that don’t want to do this.

It is essential for the customers that we are not able to get access to their API’s. Our solutions are deployed to their instances, and they don’t use any solutions which are hosted at our end.

How would this application registration scenario normally be handled?

Can I simply setup a multi-tenant app reg in our AAD with the correct API permissions, and then get their admin/user to consent?
Would this, in any way, give us access to their API’s, like if we setup a secret at our AAD and use that for Client Credentials Grant etc. ?
And wouldn't this still require the customer to manually create a client secret or certificate for Client Credentials Grant in their AAD?


Authorization Code Grant requires a matching user in the customers Microsoft Dynamics product, so that might be some what safe.
Client Credentials Grant on the other hand only requires that the Client id is added to the customers Microsoft Dynamics product, and that a valid secret/certificate is used.

I just want to be sure that we would not be able to gain access to anything, while still giving the best user experience to the customer.

Thanks


azure-ad-authentication-protocolsazure-ad-app-registration
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered ·

@Danny-0581,

It depends on what applications you're referring to. It really depends on Microsoft Dynamics and what you're trying to access. If the registration has application permissions, and accessing the dynamics service only requires application permissions, and one of your employees has access to get an access token from the app registration using clientid/secret, then the user will be able to access the dynamics instance with the same amount of permissions as were granted by the application registration/global admin originally.

If you want it to be based on user, you will have to follow an Auth code flow, and only allow users from X tenant to access Y Application. That is delegated permissions. For more information on the differences between application and delegated permissions please see here : https://docs.microsoft.com/en-us/azure/active-directory/develop/delegated-and-app-perms

Thanks,
- Frank Hu

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Frank Hu,

We currently have at least 3 separate registration types:

  1. Used for Authorization Code Grant between native client and FO.
    Contains delegate permissions on the App Reg.


  2. Used for Client Credentials Grant to Sales.
    Does not have any permissions assigned on the App Reg, so relies on the client id being assigned to an application user inside Sales.

  3. Used for Client Credentials Grant to FO.
    Does not have any permissions assigned on the App Reg, so relies on the client id being added as an Azure Active Directory application inside FO and assigned a user.

There must be some way that I can setup a template, automation or similar, so that the customer is not burdened with this task without allowing us or other customers to access their data.

As I mentioned before, it seems to be somewhat safe to let the customer consent on a multi-tenant app reg for 1., as we can not access their instances without a valid user.
However, 2. and 3. seems problematic.

0 Votes 0 · ·
IlanLanz-4856 avatar image
0 Votes"
IlanLanz-4856 answered ·

The process for ISV's is documented at - List your application in the Azure Active Directory application gallery


Please reach out and our team will be happy to help you onboard your app into the gallery and have your customers enjoy a simple and easy configuration.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much for reaching out.

Is this process decoupled from ISV solution itself?
So that it’s only the creation of the registration in the customers’ AAD?

Normally, a customer can have multiple Dynamics Sales/FO/etc. instances, with or without our ISV solutions, located in one or more AAD tenants.

Each instance can then be connected to zero-to-many other instances using OAuth (separate App Reg for each).
Some customers connect their instances when the ISV solution is installed, while others wait.

Thanks,
Danny

0 Votes 0 · ·