Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
YannickJ
Level 2 Contributor

CSP - Automated Script - Setting permission on subscription level

We are  currently automating the deployment of one of our IPs as follows:

 

a) Logon with SPN that has permission on PartnerCenter via a secure token (so no MFA)

a) Create Tenant

b) Add Azure Subscription

c) Logon to newly created Subscription with a Service Account (global admin)

d) Deploy resources to resource group

 

This previously kept working with Baseline policies since the Service-account account never logs on interactively. However with Security Defaults it seems that MFA is forced anyway.

 

Is there currently a way to give permissions to a SPN on a newly created Azure Subscription without having to logon interactively one time for MFA? As far as I know the only users that are granted permissions on a new subscription is the Admin Agents group which is of course included in the Security Policy.

 

Thanks!

 

 

4 REPLIES 4
JanoschUlmer
Microsoft

When  Secure App Model was implemented for login in to Partner Center or calling the Partner Center API, it is using MFA (During App registration MFA had to be used, consequently the token used to access the services API contains a MFA claim). If you never used MFA and when you are now hit be the MFA enforcement it means you did not yet correctly implement the secure app model, which is required.

https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model 

 

BTW - Also the Security Compliance report in Partner Center should have displayed a lower number than 100% for API/SDK access and/or user access.

 

Also if you are not using the APIs, but rather a Powershell script the same applies, for automated scripting via Powershell the same method has to be used and you need to login using a token to do management in the customer environment: https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model#powershell

 

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
YannickJ
Level 2 Contributor

Hi Janosch

 

Thanks for the quick reply but I think you misunderstand. The Partnercenter part of the automation is working fine (even with MFA enabled) by following the Secure App Model.

Our issue lies a step further in the process on the Azure Resource Manager layer where we need to be able to modify permissions on the Azure subscription level. Since  a new Azure Subscription only has Admin Agents as owner we need to logon interactively if we want to add service principals in order to automatically deploy resources.  We want to avoid any manual steps in the entire process.

JanoschUlmer
Microsoft

No, I don't understand, yet 🙂

When you can authenticate to the customer tenant using a token you should also be able to use the AZ module to set additional permissions and to create a ServicePrincipal.

https://docs.microsoft.com/en-us/powershell/partnercenter/secure-app-model?view=partnercenterps-1.5#azure  

https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azadserviceprincipal?view=azps-3.3.0

 

 

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
YannickJ
Level 2 Contributor

Hi Janosch,

 

Thanks. I think we figured it out and got it working. The issue was that we were basing some of our work on documentation that was somewhat out of date. This link is the one that actually made it 'click' for us was:

https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0

 

There are a few slight errors in the code there but nothing major.