Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Level 1 Contributor

Simple daemon API access

We have some in house code that uses API calls under /analytics to gather license counts and things of that sort. It is written in PHP using curl to perform REST calls and is run nightly.


From what I am reading and am pulling from the docs, it sounds like this is going to have to be converted to use the Secure Application Model, since some of the API endpoints seem to require user authentication. But, there is almost no documentation that seems to address this very simplistic access model. And I'm sure that we've given too much access to the current code so I'd like to clean that up as well.


One support ticket so far has pointed me here and pretty much told me that I can't use REST under the Secure Application Model, but that doesn't seem right. Maybe I'll have to do something interactive up front to get the first token, but after that it seems like I should be able to continue to just use simple REST calls.


Is there any streamlined docs that might address my use case? And might there be a doc that discusses how privileges for the API user mixes with privileges for the app registration? I'm used to other API models that only have a single point of authorization and authentication via API keys.


@spirejoey the attached document has the guidance that you are seeking. We will be getting this information incorporated into the documentation that is available on docs.microsoft.com in the coming days. Please let us know if you have any concerns or questions. 


@spirejoey, you can access the REST API via the Secure Application Model using PHP.  As you suggested, you need to complete an interactive logon with MFA up front in order to obtain a refresh token that you can securely store and use in place of user credentials.  The refresh token expires every 90 days.  Given your script runs nightly, it would make sense to obtain and store a new refresh token as part of your script.


With respect to code examples, we don't have any available in PHP but we do have some available in .NET.  Have you reviewed the code samples located on the Partner Center authentication page?

Level 1 Contributor

I've read through all kinds of docs. None of them seem to show how to do REST calls to pass in the "refresh tokens" and get new ones. And it sounds like you first have to convert the "refresh token" into an "auth token", which is probably the same as we used before after a simple oauth call. Maybe I have just managed to continually overlook the info.


And I also can't find info about how the permissions for the user and the permissions for the app id interact. I'd like to understand the minimal authorization to give just to accomplish my task. Up to now it looks like we have just given the user admin privs, which seems excessive, but maybe is required for the MFA to be trusted to access API calls?

Level 1 Contributor

My suggestion would be to put your license checks into Azure Runbooks, so that you can use the Powershell modules available. If you have a MySQL database, you can utilize Microsoft Flow to have the Runbooks send Json data to flow as an http request and then insert the data from there. It would require some changes, but I think it is doable. Let me know if you need additional assistance on this!