Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 2 Contributor

Enabling MFA via API

Good afternoon!

We're currently implenting our Office 365 reseller solution as a CSP. We've been in the process of setting up Partner Center (and the Microsoft Graph) APIs so that we can create customer on our tenant, create users within those customer and assign licenses as needed.

 

Via HTTP calls (based off of Powershell), we were able to get App auth on our tenant, create the customer & users, get the App + User Auth for the user, then assign licenses.

 

I'm having a bit of trouble understanding how to work MFA into our solution. Would it be possible to use some kind of access token from our single app to allow this? I also see the managed identities but that requires using Azure Active Directory & a Azure VM, which we don't use.

1 ACCEPTED SOLUTION
Moderator

You will need to implement the secure application model framework. This means you will perform the authentication interactively. The response back from Azure AD will include an access token and a refresh token. You will want to store the refresh token somewhere secure becuase that is the value you will use for credentials when you cannot perform an operation automatically. You can find more information as it relates to the Partner Center PowerShell module here.

View solution in original post

9 REPLIES 9
Level 1 Contributor

We use REST  and GRAPH  api  for provide office 365 , we already automated  before  of the apk launch, it's mandatory to use  secure app model? 

 

Partner Center REST API

https://docs.microsoft.com/en-us/partner-center/develop/partner-center-rest-api-reference

 

Microsoft Graph API

https://docs.microsoft.com/pt-br/graph/api/overview?view=graph-rest-1.0

 

 

Partner Center REST API

https://docs.microsoft.com/en-us/partner-center/develop/partner-center-rest-api-reference

 

Microsoft Graph API

https://docs.microsoft.com/pt-br/graph/api/overview?view=graph-rest-1.0

 

Moderator

Hi @kevensantos

 

You will be required to enforce MFA for each user account, including service accounts, in your partner tenant. If you are using app + user authentication to connect to any Microsoft API (e.g. Azure Resource Manager, Microsoft Graph, Partner Center, etc.), then you will need to follow the Secure Application Model framework. However, if you are using app only authentication, then there is no action required.  

Level 4 Contributor

Yup!
Visitor 1

@idwilliams As a follow on to this topic, if we have a solution running as a service against multiple tenants that works to retrieve Customer Billing information via an API call that references an XML file behind a KeyVault that contains <userName><password><appId> for each tenant, Is this compliant as secure application model? 

If this is not compliant can you advise how we can implement an alternative solution that is compliant and does not require any interactive input, as this must run as a service against multiple tenants on a regular basis?

 

NOTE: All our interactive processes are MFA compliant including the Dashboard developed to reference the data returned from this service. My questions relates to managing a service that is running in the background?

Look forward to clarification on this matter?

 

Moderator

Currently there is not an API/SDK that will allow you to enable or disable Azure MFA or manage conditional access rules. However, when it comes to manage of your customers then you can use a multi-tenant application from your partner directory. When you generate the access token for this you will want to use credentials that have Admin Agent privileges that way the token can be used to perform most operations. 

Level 2 Contributor

Hi Isaiah,

 

We're not trying to enable/disable MFA auth via API.

 

We are generating an access token currently, though, and we have this automated. However, when we enable MFA, that automation breaks because we can't respond to the MFA in an automated way. How can one get that access token with MFA enabled, but not have to accept the MFA notification?

 

If it helps, we're using the command `New-PartnerAccessToken` to do this.

Moderator

You will need to implement the secure application model framework. This means you will perform the authentication interactively. The response back from Azure AD will include an access token and a refresh token. You will want to store the refresh token somewhere secure becuase that is the value you will use for credentials when you cannot perform an operation automatically. You can find more information as it relates to the Partner Center PowerShell module here.

View solution in original post

Level 2 Contributor

Hi @idwilliams, we're implementing the refresh token, do you know how long the token lasts for before it expires? Is there somewhere that documents this?

Level 2 Contributor

Awesome, thanks Isaiah. That refresh token should work for us!