Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Level 1 Contributor




as a CSP partner we already implemented the Secure Application Model and we use the RefreshToken to retrieve an AccessToken to use with Partner Center API.


We were used to access customer's AAD using the Azure CLI in order to create a new Service Principal (https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac) and then deploy new VMs using Azure REST API using AppId+AppSecret credentials. This is no longer possible as Az does not support authentication using AccessToken.


Therefore we have been suggested to use Azure REST API (GraphRbacManager) to create ServicePrincipal using the AccessToken authentication, but this fall in "Access Token missing or malformed." response for any "graph" operation, for all other "arm" operations we do not have any issues.


var arm = this.GetAccessToken(partnerAccount, customer.TenantId, "https://management.azure.com/");
var graph = this.GetAccessToken(partnerAccount, customer.TenantId, "https://graph.windows.net/");
var azure = Azure.Authenticate(new AzureCredentials( new TokenCredentials(arm.AccessToken), new TokenCredentials(graph.AccessToken), customer.TenantId, AzureEnvironment.AzureGlobalCloud)).WithSubscription(customer.AzureSubscriptionId);

//// Exception is here:
var app = azure.AppServices.GraphRbacManager.Applications.GetByName(appName);

//// No exception here
var addresses = azure.PublicIPAddresses.List();

"GetAccessToken" is a method that uses RefreshToken to obtain the AccessToken, where third argument is the audience.


I am wondering what is wrong with Graph AccessToken and if someone knows if there is any specific way to retrieve that token.


@alexstucchi usually the error you are encounter means that you are trying to use the refresh token instead of an access token when performing operations against the API. Based on what you shared, this does not sound like this is your issue. Since you are looking to create a service principal in a customers environment, I would actually recommend using the Partner Center API, Azure AD PowerShell, Azure PowerShell, or Microsoft Graph.


You can find an example of how to create service principal using the Partner Center API here. Note this will need to be a reference to an existing Azure AD application.