How to enable Microsoft Partner Center new secure application model for the Automation Platform?

1 Overview
2 A. Enable Multi Factor Authentication (MFA) for users in Microsoft Partner center
3 B. Provide consent to CPV(Automation Platform) to use Partner Center API on behalf of CSP
4 C. How to configure refresh token in Automation Platform module setting?
- 4.1 4.1 Manually configure refresh token in Automation Platform application
- 4.2 4.2 Use the Azure Key Vault
5 Summary

Overview

The purpose of this article is to implement a secure model for Microsoft partners and customers to interact with Partner Center APIs. Microsoft is introducing this for Control Panel Vendors (CPVs) and Cloud Solution Providers (CSPs) who use APIs to transact with Microsoft.

This model helps secure partner credentials and manage potential security risks caused by unauthorized access to Microsoft Partner Center credentials. From the 4^th of Feb 2019, all transactions with Partner center APIs will need to adhere to this new secure model of interaction.

As per Microsoft guidelines, if CSP partners who are using Independent Software Vendors (ISV) to develop apps (e.g. Automation Platform) to be used by CSP Partners to integrate with Partner Center APIs, then they need to implement the new secure application model to prevent the unauthorized access. The CPV currently uses CSP credentials to provision new services, upgrade/downgrade services, suspend/terminate etc. With the implementation of the new approach, this will be more secure without the need to use the CSP credentials directly.

CPV (Control Panel Vendor): A Control Panel Vendor is an independent software vendor who develops apps to be used by CSP partners to integrate with Partner Center APIs. A Control Panel vendor is not a CSP Partner with direct access to the Partner Center dashboard or Partner Center APIs (i.e. does not have the ability to transact on CSP).

A summary of steps needed to enable this model for your Automation Platform installation is below:

- Enable Multi-factor authentication for all users under the CSP.

- Provide consent to CPV (Automation Platform) to use Partner Center API on behalf of CSP and obtain refresh token.

- Store refresh token in CPV to be used permanently via 2 options:

- Manually in the Automation Platform application

- In Azure Key Vault

A. Enable Multi Factor Authentication (MFA) for users in Microsoft Partner center

As per the Microsoft guidelines, for all users in the CSP organization, MFA must be enforced for security purposes. To do that kindly follow the below steps:

1. Log in to the Microsoft Office portal (https://login.microsoftonline.com/) using admin credentials.

2. Now, click on the Admin icon and user will be redirected to Microsoft 365 admin center as shown below:

3. Now, go to the left side bar and click on the user icon and then click on the Active users as shown in the above screenshot.

4. Click on the user, for whom you want to enable the MFA. Now, edit the contact information and fill the required details of the user.

Please ensure that you provide the mobile number, as the OTP (One-time Password) will be sent on the number mentioned here.

5. Click on the ‘Manage multi-factor authentication’ link and you will be redirected to below screen, here you can enforce the MFA for a single or multiple users.

6. Now select/search the user for whom you want to enable the MFA and click on the ‘Enable’ button given on the right side under ‘quick steps’.

The user is now enabled to enforce the MFA.

7. Now again select/search the user for whom you want to enforce the MFA and click on the ‘Enforce’ button.

8. To verify that the MFA is enforced or not, try to login into the partner center portal using MS credentials.

9. After signing, the user will get additional security verification screen. Here, user needs to fill the required details in Step 1 of below screenshot. Select the preferred method of authentication i.e. authentication phone, country or region, registered phone number and method (call me or send me a code by text messages) and click on the next button.

10. After that the users need to enter the OTP they received on their registered mobile number. They need to click on the verify button to complete the verification process and then they will be redirected to partner center portal.

With Microsoft introducing the new secure model CSPs can either use the 3^rd party software (CPV) to interact with Partner Center API’s or use their in-house product to interact with Partner Center API’s. Automation Platform (Automation Platform) is the CPV in above scenario and used as the 3^rd party software by CSP partners to interact with Partner Center API’s.

To provide the CSP consent to CPV to use Partner Center API’s on behalf of CSP, either Global Admin can provide the consent, or he can assign someone in his organization (user with admin agent role) to provide the consent on behalf of CSP partner.

Step to provide consent to CPV (Automation Platform):

Please complete the partner consent process in new private window and also make sure to check any active session of MS Azure portal/MS office/MS partner center portal, If found then first sign-off from that portal and then only follow the CSP consent process.

1. Log in to the Automation Platform admin Portal and go to the Settings >>Products and Services >> MS O365 Products

2. Click on the “CSP Partner Consent” button.

3. After that a pop-up will open, in which customer needs to fill the CSP domain name and click on OK button.

4. User will redirect him to Microsoft Login screen where he needs to login with his MS CSP User credentials.

5. After signing in, user will get additional security verification page, where he needs to enter the OTP, he received on his registered number and click on the Verify button.

6. After successful verification of OTP, the user will be redirected to the consent acceptance page.

7. Now, click on the ‘Consent on behalf of your organization’ checkbox as shown in the above screenshot and click on the Accept button. By clicking on the accept button, the CSP admin has provided his consent to CPV (Automation Platform) to use the partner center API on behalf of CSP. After that, it will redirect the user to Automation Platform admin portal (Settings >>Products and Services >>MS Office 365 Products >> CSP partner consent), there he will see a message named as “Refresh Token”. This is the most important information that is to be shared with the Automation Platform (CPV) team once you have provided consent. Please store this for future references.

C. How to configure refresh token in Automation Platform module setting?

Refresh Token displayed above will be used by Automation Platform (CPV) to access the Partner Center API on behalf of CSP partner instead of username/password. To do that, there are two (2) suggested methods:

1. Configure the refresh token manually in the module setting of Automation Platform. Refer point number 4.1. There are no additional costs incurred for choosing this option.

2. The Microsoft recommended solution i.e. Azure Key Vault. The Azure Key Vault is the service provided by Microsoft to store the token securely. There may be charges applicable by Microsoft directly for usage of the Key Vault and this will be applied to the CSP directly. These charges are NOT related to the Automation Platform charges at all. One active Azure subscription is a prerequisite for using Azure Key Vault service.

4.1 Manually configure refresh token in Automation Platform application

This section will show you how to configure the refresh token manually in module setting of the Automation Platform:

1. Log in to the Automation Platform admin portal and go to Settings >> Products/Services >> General Product Settings >> Vendor >> Product Name >> Product Plan >> Module Settings and configure the below details.

CSP domain
CSP MS ID/Account ID
App ID (CPV App ID, to be shared by Automation Platform team)
App secret (CPV App secret, to be shared by Automation Platform team)
MFA Method (Drop down menu): Manually
- Refresh Token: (long alpha numeric string)

4.2 Use the Azure Key Vault

This section will show you how to configure the Azure Key Vault configuration in the module setting of Automation Platform. To use the Azure Key Vault option, firstly, you need to store the refresh token in the Azure Key Vault.

How to store the token in the Azure Key Vault?

To store the refresh token in Azure Key Vault, kindly follow the below steps:

1. Log in to the https://portal.azure.com using username and password.

2. Once logged-in, click on the ‘Azure Active Directory’ on the left side menu bar.

3. Now click on the App registrations option.

4. Click on the + New application registration button to register new app.

5. Fill the required fields.

6. Once done click on the Create button and your application will look like this.

The application ID will be treated as client ID. Now click on the Setting button and you will be able to see the Setting blade.

7. Now, you need to create secret key first. For that, click on the Keys option under API ACCESS section.

8. Now, enter key description & expires duration (using drop down) and click on the Save button. Your client secret key is saved now and will be visible. Note it down for future references.

9. After that go to the previous menu and click on the ‘Required permissions’ option under API ACCESS tab.

10. Select the Windows Azure Active Directory option and make sure that below permission should be there. (Refer to the below screenshot)

11. App registration is done, now to store the refresh token in azure key vault you need to create key vault first. To do that follow these steps. Go to the top search bar and search for Key vaults.

12. Click on the Key vaults option and you will land on key vaults page.

13. Now to create new key vault, click on the Add button.

14. Fill the required fields:

Name of the Key Vault
Subscription details. (Subscription will be Microsoft Azure)

Resource Group (click on the create new link)

Add the resource name for key vault and complete the further process.

Enter the location
Select the Pricing tier (Standard has been selected)
Access policies

- Click on the Access policies option and then click on the + Add new button on the access policies blade to add new access policy.

- Select the Principal. The principal will be the application you just created in the above steps.

If you entered the name in the search the apps will come as shown in the below screenshot:

After selecting the App click on the Select button.

- Now select the other option i.e. key permission, secret permission & certificate permission as per your application requirements.

15. Once done with all the information click on the ‘OK’ button and you will be able to see the application name like below,

Your Key vault is created now.

16. Once the Key Vault is created then you will need to create a secret in which the refresh token can be saved securely.

17. Click on the newly created key vault and then select the secret option from the menu.

18. Now click on the Generate/Import button to create new secret.

19. Fill the required values,

Upload option as manual
Name of the secret
Value of the secret
Content type is optional, in that you can add the description, or any other details related to this secret
Set Activation date
Set Expiration date
Enabled - Yes/No

20. Once filled all the required details, click on the Create button and your secret will be visible in the list like below:

21. Click on the secret to verify it.

Here, you can add the new version of that secret by clicking on the Add button and filling the required details. Your newly created secret will look like below:

The Secret Identifier will be used to get the secret value using Azure Key Vault API. So, note it down in the notepad.

This Azure Key Vault secret identifier will be used as Azure Key Vault URL in the module setting of Automation Platform.

Log in to the Automation Platform admin portal and go to Settings >> Products/Services >> General Product Settings >> Vendor >> Product Name >> Product Plan >> Module Settings and configure the below details:

CSP domain
CSP MS ID/Account ID
App ID (CPV App ID, to be shared by Automation Platform team)
App secret (CPV App secret, to be shared by Automation Platform team)
MFA Method (Drop down menu): Azure Key Vault
Azure Key Vault Client App ID (i.e. 52xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx4) – Application ID of the Azure Key Vault Client App
Azure Key Vault Client App Secret (i.e. GxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxY) – Secret Key created for Azure Key Vault Client App
Azure Key Vault Client CSP Domain (i.e. xxxxxxxxxxx.onmicrosoft) - MS domain name of Azure subscription on which the Azure Key Vault is created.
Azure Key Vault URL (Azure Key vault secret identifier: <https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/xxxxxxxxxxxxxxxxxxxxxx?api-version=7.0)> – Secret Identifier of the secret of the Azure Key Vault created in the Azure Key Vault Client App

After the details are configured using the above discussed steps, you can use the Automation Platform to order and manage MSCSP services.

Overview

A. Enable Multi Factor Authentication (MFA) for users in Microsoft Partner center

B. Provide consent to CPV(Automation Platform) to use Partner Center API on behalf of CSP

C. How to configure refresh token in Automation Platform module setting?

4.1 Manually configure refresh token in Automation Platform application

4.2 Use the Azure Key Vault