Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Level 4 Contributor

Seeing 2 refresh tokens after partner consent



while running partnerconsent sample provide by Microsoft, when I give consent to CPV app from my partner login, somtimes I see 2 refresh tokens in azure key vault, 1 for partner tenant and other for CPV tenant.But sometimes only 1 is created for partner tenant.


I am confused, what should be expected flow? should not I got only one refresh token for partner tenant as he has given consent? Why I am seeing refresh token for CPV tenant?


please help.


@akumar just to confirm you are using this sample correct? 


During the partner consent process it should only create, or update, one refresh token. That refresh token should be for the partner that just perform the consent. I will review the sample code to see why you might be encountering this behavior. 

Visitor 1

Also once I give consent for my CPV app from my CSP user login , I see a Azure Active directory got created with my CPV tenant name. Is it a desired behaviour?


So when I login with my CSP account I see 2 Directory one for my CPV and one for CSP.


Please let me know if something is wrong from my side or its desired behaviour?

Level 4 Contributor

@akumar each time someone authenticates using that sample a refresh token value will be stored/updated in Key Vault. The code that performs this operation can be found here. So, if you have authenticated using a user from your CPV tenant there will be a refresh token for your CPV tenant. When everything is deployed and you are on-boarding new customers (partners who are in the CSP program), then they will authenticate and the result of that authentication will be that a refresh token is stored/updated for that environment. 


The Azure AD tenant identifier is used as the name of the key. This value is the same for all users in a given tennant. So, if two different users from the same Azure AD tenant walk through this process you will only have one refresh token for this customer. 

Level 4 Contributor

I have not explicitly given consent from my CPV user, may be I have logged in with that user in chrome and it has used it by default. So looks like the all the users whose session is present in chrome is culprit of this. It creates refresh token for all those tenant.


@akumar that is not expected because once the authentication is successful an authorization code is returned. That code is then used to request an access token. However, I think that I might see what might be causing some un-expected behavior. Can you open an issue for this defect? 

Level 4 Contributor