Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Take the survey
Reply
Highlighted
patrickL
‎12-05-2019 07:00 AM
Visitor 1
‎12-05-2019 07:00 AM

Do we need to use Secure Application Mode for back-end App-Only auth flows?

We currently use the "App-Only" authentication model as described on Microsoft's "Partner Center Authentication" Site for our integration with some of the Partner Center APIs. Our integration is back-end code whereby users are not logging in.

 

The "Enabling the Secure Application Model framework" makes it seem as if using the new model is required 100% of the time for any API call. The "Partner Center authentication" website states that "App-Only" authentication is acceptable.

 

When is "App-Only" authentication as described on the above web page allowed?

(We develop applications for CSP customers which are not hosted in Azure.  It is also not a Marketplace application.  As such, I do not think that we are considered a "CPV".)

Labels:
Reply
0 Kudos
2 REPLIES 2
Highlighted
JanoschUlmer
Microsoft
‎12-09-2019 07:01 AM
Microsoft
‎12-09-2019 07:01 AM

Re: Do we need to use Secure Application Mode for back-end App-Only auth flows?

If you are using app only, Secure App Model does not apply, since authentication will not happen using delegated permissions: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#i-am-a-csp-that-is-using-app-only-authentication-do-i-need-to-make-any-changes

 

The Secure App Model documentation does only apply to "app+user" model, so "app only" is not discussed in there at all.

Reply
Highlighted
cjmod
Level 5 Contributor
‎12-20-2019 10:21 AM
Level 5 Contributor
‎12-20-2019 10:21 AM

Re: Do we need to use Secure Application Mode for back-end App-Only auth flows?

Not a Microsoft employee, but... if you're interacting with any Partner Center APIs, I'd recommend:

 

  1. Investigating the level of effort required to adopt the Secure Application Model
  2. Evaluating the risk to your business if one of the Partner Center APIs you use suddenly requires "App+user" authentication
  3. Scheduling the work for some point in the near future
  4. Preparing people for the possibility of your integratation breaking until the work is completed

 

In other words, using any intergation still using App-Only authentication may work today... but only integrations using Secure Application Model for App+User authentication are sure to work tomorrow.

Reply
0 Kudos
Follow Us
    Share