Multi-Factor Authentication (MFA)

YannickJ · ‎01-14-2020

We are currently automating the deployment of one of our IPs as follows:

a) Logon with SPN that has permission on PartnerCenter via a secure token (so no MFA)

a) Create Tenant

b) Add Azure Subscription

c) Logon to newly created Subscription with a Service Account (global admin)

d) Deploy resources to resource group

This previously kept working with Baseline policies since the Service-account account never logs on interactively. However with Security Defaults it seems that MFA is forced anyway.

Is there currently a way to give permissions to a SPN on a newly created Azure Subscription without having to logon interactively one time for MFA? As far as I know the only users that are granted permissions on a new subscription is the Admin Agents group which is of course included in the Security Policy.

Thanks!

JanoschUlmer · ‎01-15-2020

When Secure App Model was implemented for login in to Partner Center or calling the Partner Center API, it is using MFA (During App registration MFA had to be used, consequently the token used to access the services API contains a MFA claim). If you never used MFA and when you are now hit be the MFA enforcement it means you did not yet correctly implement the secure app model, which is required.

https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model

BTW - Also the Security Compliance report in Partner Center should have displayed a lower number than 100% for API/SDK access and/or user access.

Also if you are not using the APIs, but rather a Powershell script the same applies, for automated scripting via Powershell the same method has to be used and you need to login using a token to do management in the customer environment: https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#powershell

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)

YannickJ · ‎01-15-2020

Hi Janosch

Thanks for the quick reply but I think you misunderstand. The Partnercenter part of the automation is working fine (even with MFA enabled) by following the Secure App Model.

Our issue lies a step further in the process on the Azure Resource Manager layer where we need to be able to modify permissions on the Azure subscription level. Since a new Azure Subscription only has Admin Agents as owner we need to logon interactively if we want to add service principals in order to automatically deploy resources. We want to avoid any manual steps in the entire process.

JanoschUlmer · ‎01-15-2020

No, I don't understand, yet 🙂

When you can authenticate to the customer tenant using a token you should also be able to use the AZ module to set additional permissions and to create a ServicePrincipal.

https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5#azure

https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadserviceprincipal?view=azps-3.3.0

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)

YannickJ · ‎01-17-2020

Hi Janosch,

Thanks. I think we figured it out and got it working. The issue was that we were basing some of our work on documentation that was somewhat out of date. This link is the one that actually made it 'click' for us was:

https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0

There are a few slight errors in the code there but nothing major.

Multi-Factor Authentication (MFA)

CSP - Automated Script - Setting permission on subscription level

Product and Services

Emerging Technologies

Developer & IT

Partner

Industries

Other