Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Take the survey
Reply
akumar
Level 4 Contributor
‎07-16-2019 07:16 AM
Level 4 Contributor
‎07-16-2019 07:16 AM

Why setting ApplicationGrant for customer id

while looking into cpvsample for Security App Model I see following code

 

if(StringUtils.isNoneBlank(customerId))
        {
            ApplicationGrant azureAppGrant = new ApplicationGrant();

            azureAppGrant.setEnterpriseApplication("797f4846-ba00-4fd7-ba43-dac1f8f63013");
            azureAppGrant.setScope("user_impersonation");

            ApplicationGrant graphAppGrant = new ApplicationGrant(); 

            graphAppGrant.setEnterpriseApplication("00000002-0000-0000-c000-000000000000");
            graphAppGrant.setScope("Domain.ReadWrite.All,User.ReadWrite.All,Directory.Read.All");
    
            ApplicationConsent consent = new ApplicationConsent();

            consent.setApplicationGrants(Arrays.asList(azureAppGrant, graphAppGrant));
            consent.setApplicationId(properties.getProperty(PropertyName.PARTNER_CENTER_CLIENT_ID));
            consent.setDisplayName(properties.getProperty(PropertyName.PARTNER_CENTER_DISPLAY_NAME));

            // Deletes the existing grant into the customer it is present.
            partnerOperations.getServiceClient().delete(
                partnerOperations,
                new TypeReference<ApplicationConsent>(){},
                MessageFormat.format(
                    "customers/{0}/applicationconsents/{1}", 
                    customerId, 
                    properties.getProperty(PropertyName.PARTNER_CENTER_CLIENT_ID)));

            // Consent to the defined applications and the respective scopes.
            partnerOperations.getServiceClient().post(
                partnerOperations, 
                new TypeReference<ApplicationConsent>(){},
                MessageFormat.format(
                    "customers/{0}/applicationconsents", 
                    customerId),
                consent);
        }

What is the use of this code? What should be customer id? and when above blck of code is used?

while setting 

azureAppGrant.setEnterpriseApplication("797f4846-ba00-4fd7-ba43-dac1f8f63013");

graphAppGrant.setEnterpriseApplication("00000002-0000-0000-c000-000000000000");

in above code  hardcoded values are used?

 

Is this the same harcoded value we need to use? if not what should be this EnterpriseApplication value and where will I get these values?

Labels:
0 Kudos
6 REPLIES 6
idwilliams
Moderator
‎07-16-2019 05:37 PM
Moderator
‎07-16-2019 05:37 PM

With the Control Panel Vendor (CPV) model there is not a relationship between the CPV and the customer. So, this means features like pre-consent cannot be leveraged because that requires a relationship with the customer (which is what a partner has through the CSP program). To ensure the control panel can perform operations against a customer you will need to create an application grant. Through this process consent for the Azure AD application used by the CPV is being granted with the specified scopes. 

 

The value 00000002-0000-0000-c000-000000000000 is the application identifier for Microsoft Graph. When this consent is used the CPV will be able to perform operations using Microsoft Graph against the customer. The value 797f4846-ba00-4fd7-ba43-dac1f8f63013 is the application identifier for the Azure Resource Manager. When this consent used the CPV will be able to perform operations using the ARM API.

 

Finally, the customer identifier value is the Azure AD tenant identifier for the customer. I hope that this provide some clarification. Please let us know if you have any concerns or questions.

 

 

0 Kudos
akumar
Level 4 Contributor
‎07-16-2019 07:12 PM
Level 4 Contributor
In response to idwilliams
‎07-16-2019 07:12 PM

Thanks for your answer, so as per you if CPV wants to do any operation on behalf of customer we need to use this code? Can you little more explain what all opertaions(may be some example) CPV needs to do against a customer that can not be done using partner consent? and while doing these operation we will use same token as we obtained with partner consent or need to get seperate token for each customer?

 

also while setting consent why only 2 application GRAPH and RESOURCE API is done, do we need to set PARTNER CENTER API application identifier to if CPV wants any operation on PARTNER CENTER against customer? if Yes what is the application identifer for this?

 

Are these application identifier fixed or will be change based on the CPV partner environment?

0 Kudos
idwilliams
Moderator
‎07-17-2019 08:28 AM
Moderator
In response to akumar
‎07-17-2019 08:28 AM

The only relationship that exist is between the partner and customer. So, as CPV you have to programmatically create the application consent or have each of the parnter's customers consent to the application. Having each of the partner's customers take action is not scalable, so it is highly recommended that you create the application consent. Through the creation of the application consent you are able to perform operations against a customer using the partner's credentials. Without this CPVs would not be able to perform actions against the customer that require an API other than the Partner Center API. 

 

You do not need to add the Partner Center API application grant because the API is only available to partners and not customers. Also, you cannot use the Partner Center API to create an application consent the partner level, it is only possible to do that against a customer. Note the application identifiers for Azure Resource Manager (ARM) and Microsoft Graph are fixed values.

0 Kudos
akumar
Level 4 Contributor
‎07-17-2019 09:27 AM
Level 4 Contributor
In response to idwilliams
‎07-17-2019 09:27 AM

Sorry I am not able to understand, what do you mean by statement "Through the creation of the application consent you are able to perform operations against a customer using the partner's credentials." ? Can you little bit eleborate what operation you talking about?

 

also just creating CPV app consent is the sufficient to perform these operations? Is there any token acquire needed to perform these operation against a customer?

 

In the given sample I see two methods "RunAzureTask" and "RunGraphTask" , so are you taking about these 2 operations which is done against customer and for doing these two opeartions Apllication Consent is required?

 

0 Kudos
idwilliams
Moderator
‎07-28-2019 08:58 PM
Moderator
In response to akumar
‎07-28-2019 08:58 PM

Since there is not a relationship between a CPV and customer, you need to create the application grant. If this is not done, then you will not be able to leverage any API (such as Azure Resource Manager, Microsoft Graph, etc.) without getting the partner's customer explicitly granting this permission through the Azure AD consent framework. If you control panel is only leveraging the Partner Center API/SDK, then you do not need to worry about creating these consents. They are only required when a CPV is utilizing an API such Microsoft Graph to perform an operation against an end customer's environment. Once the CSP partner has perform the consent process you will be able to create these applications grants. There is no need to get an access token in the context of a customer because the creation of these grants is done through the Partner Center API. So, you will need a token (that is in the context of the CSP that owns the customer) for the Partner Center API.

 

The RunAzureTask and RunGraphTask functions in that sample project, demonstrate how you can use the Azure Resource Manager and Microsoft Graph APIs to perform an operation against a customer. You are correct that the application grant needs to be created so you will be able to perform these operations.

0 Kudos
akumar
Level 4 Contributor
‎07-30-2019 01:56 AM
Level 4 Contributor
In response to idwilliams
‎07-30-2019 01:56 AM

Thanks for detailed explanation, but I am able to run RunAzureTask  without creating custmer grant.

I have commented RunPartnerCenterTask method(which is creating grant) in the sample and run only the RunAzureTask function (which is simply calling azure apis without creating grant) and I see successful output.

 

Also is there any way in portal where I can see such customer grant if it has been created via code.I want to check if that grant is already present or not?

0 Kudos
Follow Us
    Share