Partner Center Authentication

Applies To

  • Partner Center
  • Partner Center operated by 21Vianet
  • Partner Center for Microsoft Cloud Germany
  • Partner Center for Microsoft Cloud for US Government

Partner Center utilizes Azure Active Directory for authentication. When interacting with the Partner Center API, SDK, or PowerShell module you must correctly configure an Azure AD application and then request an access token. Access tokens obtained using app only or app + user authentication can be used with the Partner Center. However, there are two important items that need to be considered

  • You must utilize multi-factor authentication when accessing the Partner Center API using app + user authentication. To find more information regarding this change, see Enable secure application model
  • Not all of the operations the Partner Center API support app only authentication. This means there certain scenarios where you will be required to use app + user authentication. Under the Prerequisites heading on each Scenario article, you will find documentation that states whether app only authentication, app + user authentication, or both are supported.

Initial setup

  1. To begin, you need to make sure that you have both a primary Partner Center account, and an integration sandbox Partner Center account. For more information, see Set up Partner Center accounts for API access. Make note of the Azure AAD App registration ID and Secret (client secret is required for App only identification) for both your primary account and your integration sandbox account.

  2. Sign in to Azure AD from the Azure management portal. In permissions to other applications, set permissions for Windows Azure Active Directory to Delegated Permissions, and select both Access the directory as the signed-in user and Sign in and read user profile.

  3. In the Azure management portal, Add application. Search for "Microsoft Partner Center", which is the Microsoft Partner Center application. Set the Delegated Permissions to Access Partner Center API. If you are using Partner Center for Microsoft Cloud Germany or Partner Center for Microsoft Cloud for US Government, this step is mandatory. If you are using Partner Center global instance, this step is optional. CSP Partners can use the App Management feature in the Partner Center portal to bypass this step for Partner Center global instance.

App Only Authentication

If you would like to use app only authentication to access the Partner Center REST API, .NET API, Java API, or PowerShell module then you can do so by leveraging the following:

public static IAggregatePartner GetPartnerCenterTokenUsingAppCredentials()
{
    IPartnerCredentials partnerCredentials =
        PartnerCredentials.Instance.GenerateByApplicationCredentials(
            PartnerApplicationConfiguration.ApplicationId,
            PartnerApplicationConfiguration.ApplicationSecret,
            PartnerApplicationConfiguration.ApplicationDomain);

    // Create operations instance with partnerCredentials.
    return PartnerService.Instance.CreatePartnerOperations(partnerCredentials);
}

App + User Authentication

Historically the resource owner password credentials grant has been used to request an access token for use with the Partner Center REST API, .NET API, Java API, or PowerShell module. This is where you request an access token from Azure Active Directory using a client identifier and user credentials. This approach will no longer work because Partner Center requires multi-factor authentication, when using app + user authentication. To comply with this requirement Microsoft has introduced a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and control panel vendors (CPV) using multi-factor authentication. This framework is known as the Secure Application Model, and it is comprised of a consent process and a request for an access token using a refresh token.

The partner consent process is an interactive process where the partner authenticates using multi-factor authentication, consents to the application, and a refresh token is stored in a secure repository such as Azure Key Vault. We recommend that a dedicated account for integration purposes be used for this process.

Important

The appropriate multi-factor authentication solution should be enabled for the service account used in the partner consent process. If it is not then the resulting refresh token will not be compliant with security requirements.

Samples

The partner consent process can be performed in a number of ways. To help partners understand how to perform each required operation, we have developed the following samples. Please note that these are samples only. When you implement the appropriate solution in your environment, it is important that you develop a solution that is complaint with your coding standards and security policies.

Cloud Solution Provider Authentication

Cloud Solution Provider partners can use the refresh token obtained through the partner consent process.

Samples

To help partners understand how to perform each required operation, we have developed the following samples. Please note that these are samples only. When you implement the appropriate solution in your environment, it is important that you develop a solution that is complaint with your coding standards and security policies.

  1. If you have not already done so, perform the partner consent process.

  2. Clone the Partner-Center-DotNet-Samples repository using Visual Studio or the following command

    git clone https://github.com/Microsoft/Partner-Center-DotNet-Samples.git
    
  3. Open the CSPApplication project found in the Partner-Center-DotNet-Samples\secure-app-model\keyvault directory.

  4. Update the application settings found in the App.config file.

    <!-- AppID that represents CSP application -->
    <add key="ida:CSPApplicationId" value="" />
    <!-- 
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.    
    -->
    <add key="ida:CSPApplicationSecret" value="" />
    
    <!-- Endpoint address for the instance of Azure KeyVault -->
    <add key="KeyVaultEndpoint" value="" />
    
    <!-- AppID that is given access for keyvault to store the refresh tokens -->
    <add key="ida:KeyVaultClientId" value="" />
    
    <!-- 
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.    
    -->
    <add key="ida:KeyVaultClientSecret" value="" />
    
  5. Set the appropriate values for the PartnerId and CustomerId variables found in the Program.cs file.

    // The following properties indicate which partner and customer context the calls are going to be made.
    string PartnerId = "<Partner tenant id>";
    string CustomerId = "<Customer tenant id>";
    
  6. When you run this sample project it obtains the refresh token obtained during the partner consent process. Then, it requests an access token to interact with the Partner Center SDK on the partner's behalf. Finally, it requests an access token to interact with Microsoft Graph on behalf of the specified customer.

Control Panel Provider Authentication

Control panel vendors need to have each partner they support perform the partner consent process. Once that is completed the refresh token obtained through that process is used to access the Partner Center REST API and .NET API.

Samples

To help control panel vendors understand how to perform each required operation, we have developed the following samples. Please note that these are samples only. When you implement the appropriate solution in your environment, it is important that you develop a solution that is complaint with your coding standards and security policies.

  1. Develop and deploy a process for Cloud Solution Provider partners to provide the appropriate consent. See the partner consent for additional details and an example.

    Important

    User credentials from a Cloud Solution Provider partner should not be stored. The refresh token obtained through the partner consent process should be stored and used to request access tokens for interacting with any Microsoft API.

  2. Clone the Partner-Center-DotNet-Samples repository using Visual Studio or the following command

    git clone https://github.com/Microsoft/Partner-Center-DotNet-Samples.git
    
  3. Open the CPVApplication project found in the Partner-Center-DotNet-Samples\secure-app-model\keyvault directory.

  4. Update the application settings found in the App.config file.

    <!-- AppID that represents Control panel vendor application -->
    <add key="ida:CPVApplicationId" value="" />
    
    <!-- 
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.    
    -->
    <add key="ida:CPVApplicationSecret" value="" />
    
    <!-- Endpoint address for the instance of Azure KeyVault -->
    <add key="KeyVaultEndpoint" value="" />
    
    <!-- AppID that is given access for keyvault to store the refresh tokens -->
    <add key="ida:KeyVaultClientId" value="" />
    
    <!-- 
        Please use certificate as your client secret and deploy the certificate to your environment.
        The following application secret is for sample application only. please do not use secret directly from the config file.    
    -->
    <add key="ida:KeyVaultClientSecret" value="" />
    
  5. Set the appropriate values for the PartnerId and CustomerId variables found in the Program.cs file.

    // The following properties indicate which partner and customer context the calls are going to be made.
    string PartnerId = "<Partner tenant id>";
    string CustomerId = "<Customer tenant id>";
    
  6. When you run this sample project it obtains the refresh token for the specified partner. Then, it requests an access token to access Partner Center and Azure AD Graph on behalf of the partner. The next task it performs is the deletion and creation of permission grants into the customer tenant. Since there is no relationship between the control panel vendor and the customer these permissions need to be added using the Partner Center API. The following example shows how this is accomplished.

    JObject contents = new JObject
    {
        // Provide your application display name
        ["displayName"] = "CPV Marketplace",
    
        // Provide your application id
        ["applicationId"] = CPVApplicationId,
    
        // Provide your application grants
        ["applicationGrants"] = new JArray(
            JObject.Parse("{\"enterpriseApplicationId\": \"00000002-0000-0000-c000-000000000000\", \"scope\":\"Domain.ReadWrite.All,User.ReadWrite.All,Directory.Read.All\"}"), // for Azure AD Graph access,  Directory.Read.All
            JObject.Parse("{\"enterpriseApplicationId\": \"797f4846-ba00-4fd7-ba43-dac1f8f63013\", \"scope\":\"user_impersonation\"}")) // for Azure Resource Manager access
    };
    
    /**
     * The following steps have to be performed once per customer tenant if your application is
     * a control panel vendor application and requires customer tenant Azure AD Graph access.
     **/
    
    // delete the previous grant into customer tenant
    JObject consentDeletion = await ApiCalls.DeleteAsync(
        tokenPartnerResult.Item1,
        string.Format("https://api.partnercenter.microsoft.com/v1/customers/{0}/applicationconsents/{1}", CustomerId, CPVApplicationId));
    
    // create new grants for the application given the setting in application grants payload.
    JObject consentCreation = await ApiCalls.PostAsync(
        tokenPartnerResult.Item1,
        string.Format("https://api.partnercenter.microsoft.com/v1/customers/{0}/applicationconsents", CustomerId),
        contents.ToString());
    

After these permissions have been established, the sample performs operations using Azure AD Graph on behalf of the customer.

Frequently Asked Questions

Can the trusted location conditional access policy be used to bypass the requirement for multi-factor authentication?

No, this will not work because of how the requirement for multi-factor authentication will be enforced.

How will the requirement for multi-factor authentication be enforced?

This requirement will be enforced by ensuring that a claim of type http://schemas.microsoft.com/claims/authnmethodsreferences with a value of mfa is present. If it is not then authentication will be denied.