Process for ISV Azure AD application registration

Danny 1 Reputation point
2020-02-06T10:29:37.507+00:00

Hi,

We are currently selling some Microsoft Dynamics ISV solutions (Finance and Operations, Sales etc.) that uses OAuth 2.0 Client Credentials Grant Flow to communicate between our ISV solutions on these Microsoft hosted products.
Authorization Code Grant Flow (only user-level permissions) are also used for our desktop applications (native apps) which the customers installs locally and uses to communicate with our ISV solutions on the Microsoft hosted products.

Initially, the customers wanted to setup the application registration themselves in their Azure AD, so that was part of the standard setup.
But now we are getting customers that don’t want to do this.

It is essential for the customers that we are not able to get access to their API’s. Our solutions are deployed to their instances, and they don’t use any solutions which are hosted at our end.

How would this application registration scenario normally be handled?

Can I simply setup a multi-tenant app reg in our AAD with the correct API permissions, and then get their admin/user to consent?
Would this, in any way, give us access to their API’s, like if we setup a secret at our AAD and use that for Client Credentials Grant etc. ?
And wouldn't this still require the customer to manually create a client secret or certificate for Client Credentials Grant in their AAD?

Authorization Code Grant requires a matching user in the customers Microsoft Dynamics product, so that might be some what safe.
Client Credentials Grant on the other hand only requires that the Client id is added to the customers Microsoft Dynamics product, and that a valid secret/certificate is used.

I just want to be sure that we would not be able to gain access to anything, while still giving the best user experience to the customer.

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,372 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. FrankHu-MSFT 976 Reputation points
    2020-02-07T04:22:54.897+00:00

    @Danny ,

    It depends on what applications you're referring to. It really depends on Microsoft Dynamics and what you're trying to access. If the registration has application permissions, and accessing the dynamics service only requires application permissions, and one of your employees has access to get an access token from the app registration using clientid/secret, then the user will be able to access the dynamics instance with the same amount of permissions as were granted by the application registration/global admin originally.

    If you want it to be based on user, you will have to follow an Auth code flow, and only allow users from X tenant to access Y Application. That is delegated permissions. For more information on the differences between application and delegated permissions please see here : https://learn.microsoft.com/en-us/azure/active-directory/develop/delegated-and-app-perms

    Thanks,

    • Frank Hu
  2. Ilan Lanz 1 Reputation point Microsoft Employee
    2020-03-05T00:38:53.57+00:00

    The process for ISV's is documented at - List your application in the Azure Active Directory application gallery

    Please reach out and our team will be happy to help you onboard your app into the gallery and have your customers enjoy a simple and easy configuration.