Microsoft is introducing a secure, scalable framework for authenticating cloud solution provider (CSP) partners and control panel vendors (CPV) through the Microsoft Entra multifactor authentication (MFA) architecture.
You can use the new model to elevate security for Partner Center API integration calls. This helps all parties (including Microsoft, CSP partners, and CPVs) to protect their infrastructure and customer data from security risks.
The CSP program allows customers to buy Microsoft products and services through the partners. As per the agreement with Microsoft, partners are required to manage the environment for the customers they sell to and provide support. Customers who buy through this channel must place a high amount of trust in the partner they're buying from because the partner business has high-privilege admin access to the customer tenant.
Scope
This article relates to both CSPs and CPVs.
CPVs
A CPV is an independent software vendor that develops apps for use by CSP partners to integrate with Partner Center APIs.
A CPV isn't a CSP partner with direct access to Partner Center or APIs.
CSPs
CSP indirect providers and CSP direct partners who are using app ID + user authentication and directly integrate with Partner Center APIs.
Marketplace applications need to impersonate CSP partner privileges to call Microsoft APIs. Security attacks on these sensitive applications can lead to the compromise of customer data.
For an overview and details of the new authentication framework, see the Secure Application Model framework, which covers principles and best practices to make marketplace applications sustainable and robust from security compromises.
Samples
The following overview documents and sample code describe how partners can implement the Secure Application Model framework:
Give delegated application permissions to the following resources, depending on your application's requirements. If necessary, you can add more delegated permissions for application resources.
Microsoft Partner Center (some tenants show SampleBECApp)
Azure Management APIs (if you're planning to call Azure APIs)
Windows Azure Active Directory
Make sure that the home URL of your app is set to an endpoint where a live web app is running. This app needs to accept the authorization code from the Microsoft Entra login call. For example, in the example code in the following section, the web app is running at https://localhost:44395/.
Note the following information from your web app's settings in Microsoft Entra ID:
Be sure to log in with the user account from which you make Partner Center API calls (such as an admin agent or sales agent account).
Replace Application-Id with your Microsoft Entra app ID (GUID).
When prompted, log in with your user account with MFA configured.
When prompted, enter more MFA information (phone number or email address) to verify your login.
After you're logged in, the browser will redirect the call to your web app endpoint with your authorization code. For example, the following sample code redirects to https://localhost:44395/.
You must then use your authorization code to get a refresh token:
Make a POST call to the Microsoft Entra login endpoint https://login.microsoftonline.com/CSPTenantID/oauth2/token with the authorization code. For an example, see the following sample call.
You must obtain an access token before you can make calls to the Partner Center APIs. You must use a refresh token to obtain an access token because access tokens generally have a limited lifetime (for example, less than an hour).
The ServicePrincipal parameter is used with the New-PartnerAccessToken command because a Microsoft Entra app with a type of Web/API is being used. This type of app requires that a client identifier and secret be included in the access token request. When the Get-Credential command is invoked, you will be prompted to enter a username and password. Enter the application identifier as the username. Enter the application secret as the password. When the New-PartnerAccessToken command is invoked, you will be prompted to enter credentials again. Enter the credentials for the service account that you are using. This service account should be a partner account with appropriate permissions.
Copy the refresh token value.
PowerShell
$token.RefreshToken | clip
You should store the refresh token value in a secure repository, such as Azure Key Vault. For more information on how to use the secure application module with PowerShell, see the multifactor authentication article.
When building apps for work, you typically integrate with secured APIs. Learn about the two common ways of how APIs are secured – API key and OAuth2, and how to integrate with them when building an API plugin for declarative agents that run in Microsoft 365 Copilot.