Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Reply
Visitor 1

Do we need to use Secure Application Mode for back-end App-Only auth flows?

We currently use the "App-Only" authentication model as described on Microsoft's "Partner Center Authentication" Site for our integration with some of the Partner Center APIs. Our integration is back-end code whereby users are not logging in.

 

The "Enabling the Secure Application Model framework" makes it seem as if using the new model is required 100% of the time for any API call. The "Partner Center authentication" website states that "App-Only" authentication is acceptable.

 

When is "App-Only" authentication as described on the above web page allowed?

(We develop applications for CSP customers which are not hosted in Azure.  It is also not a Marketplace application.  As such, I do not think that we are considered a "CPV".)

2 REPLIES 2
Level 5 Contributor

Not a Microsoft employee, but... if you're interacting with any Partner Center APIs, I'd recommend:

 

  1. Investigating the level of effort required to adopt the Secure Application Model
  2. Evaluating the risk to your business if one of the Partner Center APIs you use suddenly requires "App+user" authentication
  3. Scheduling the work for some point in the near future
  4. Preparing people for the possibility of your integratation breaking until the work is completed

 

In other words, using any intergation still using App-Only authentication may work today... but only integrations using Secure Application Model for App+User authentication are sure to work tomorrow.

Microsoft

If you are using app only, Secure App Model does not apply, since authentication will not happen using delegated permissions: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#i-am-a-csp-that-is-using-app-only-authentication-do-i-need-to-make-any-changes

 

The Secure App Model documentation does only apply to "app+user" model, so "app only" is not discussed in there at all.

Kind regards,
Janosch