Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Reply
Level 4 Contributor

How can CPVs determine the least permissive role required for their application?

Is there a way to relate APIs permissions back to Admin Roles?

 

Why: CPVs need to provide documentation that clearly defines the minimum permissions required for the user who's providing consent. Microsoft has a ton of assets that cover API permissions and Admin Roles, but nothing seems to connect the two.

 

Goal: We want to tell partners that the user providing consent requires the XXXXX role in Azure AD and XXXXX role in Partner Center to run properly.

 

Context

Let's say a CPV has a multi-tenant application with API permissions (some of which require "Admin Consent") to Partner Center, Microsoft Graph, and Office 365 Management APIs. Of the 30+ administrator roles in Azure AD & 5+ admin roles in Partner Center, how can a CPV determine the least permissive role required for their application?

 

The "Application administrator" role looks promising, but explicitly excludes Microsoft Graph (see paragraph under "Delegate app administrator"). The "Global administrator" role definitely works and seems to be required for CPVs (see CPV in Partner Center's Permissions Overview), but I feel like I'm missing something.

 

What Happens If CPVs Can't Do This

CPVs and Partners will have to provide consent via a user with the Global Admin role (a security concern) or determine the appropriate minimum permission set thru trial and error (a PITA).

1 ACCEPTED SOLUTION

Accepted Solutions
Microsoft

Re: How can CPVs determine the least permissive role required for their application?

The consent process can get complicate quickly, especially if the CPV is requiring admin consent by specifying the admin_consent value for the prompt query string parameter. When that value is present in the login.microsoft.com URL it will require that a user with the Global Admin role assigned to perform the consent. Our recomendation is that partners use an account that has Admin Agent and the Application Administrator roles assigned. That way consent can be performed and the resulting token wil be able to perform all operations the Partner Center API currently supports.

 

Note, the use of the Application Administrator role has been tested and it works as expceted when the CPV is not forcing an admin consent.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
2 REPLIES 2
Microsoft

Re: How can CPVs determine the least permissive role required for their application?

The consent process can get complicate quickly, especially if the CPV is requiring admin consent by specifying the admin_consent value for the prompt query string parameter. When that value is present in the login.microsoft.com URL it will require that a user with the Global Admin role assigned to perform the consent. Our recomendation is that partners use an account that has Admin Agent and the Application Administrator roles assigned. That way consent can be performed and the resulting token wil be able to perform all operations the Partner Center API currently supports.

 

Note, the use of the Application Administrator role has been tested and it works as expceted when the CPV is not forcing an admin consent.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Highlighted
Level 4 Contributor

Re: How can CPVs determine the least permissive role required for their application?

@idwilliams: Thank you for that! I don't believe we're specifying the admin_consent value in the query, so we should be good there.

 

Hopefully this guidance proves useful for all partners. Much appreciated! Smiley Happy