Do we need to use Secure Application Mode for back-end App-Only auth flows?
We currently use the "App-Only" authentication model as described on Microsoft's "Partner Center Authentication" Site for our integration with some of the Partner Center APIs. Our integration is back-end code whereby users are not logging in.
The "Enabling the Secure Application Model framework" makes it seem as if using the new model is required 100% of the time for any API call. The "Partner Center authentication" website states that "App-Only" authentication is acceptable.
When is "App-Only" authentication as described on the above web page allowed?
(We develop applications for CSP customers which are not hosted in Azure. It is also not a Marketplace application. As such, I do not think that we are considered a "CPV".)
Not a Microsoft employee, but... if you're interacting with any Partner Center APIs, I'd recommend:
- Investigating the level of effort required to adopt the Secure Application Model
- Evaluating the risk to your business if one of the Partner Center APIs you use suddenly requires "App+user" authentication
- Scheduling the work for some point in the near future
- Preparing people for the possibility of your integratation breaking until the work is completed
In other words, using any intergation still using App-Only authentication may work today... but only integrations using Secure Application Model for App+User authentication are sure to work tomorrow.
If you are using app only, Secure App Model does not apply, since authentication will not happen using delegated permissions: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#i-am-a-csp-that-is-using-app-only-authentication-do-i-need-to-make-any-changes
The Secure App Model documentation does only apply to "app+user" model, so "app only" is not discussed in there at all.