UPDATE: The PartnerCenter PowerShell Module has been update to v3.0 – be sure the update with Update-Module -Name PartnerCenter!
The Secure Application Model is a new framework that Cloud Solution Provider partners can use to authenticate to the Partner Center and more. Partners need to perform a consent process that will generated an Access Token and a Refresh Token. These tokens will be used to interact with the API.
In order to get the tokens, an Azure AD Application is required. It’s pretty easy to do this using a PowerShell Script that I’m happy to share. The only requirement to run the script below is the Azure AD PowerShell Module. The Output is an AccessToken and an Exchange AccessToken that you can store for later use. I highly recommend storing these values in an Azure Key Vault.
[cmdletbinding()]
param (
[Parameter(
Mandatory = $true,
HelpMessage="DisplayName of the application",
Position=1
)][string] $DisplayName
)
#region AzureAD
$AADModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AADModule -eq $null) {
$AADModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
## No AzureAD or AzureADPreview installed?
If ($AADModule -eq $null) {
Write-Host "AzureAD PowerShell Module not installed." -ForegroundColor Red
Write-Host "Install with 'Install-Module -Name AzureAD'" -ForegroundColor Red
}
Try {
$connect = Get-AzureADTenantDetail
} Catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
Connect-AzureAD | Out-Null
}
#endregion
#region Permissions
## --- Required API Permissions --- ##
$adAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
## Graph API
ResourceAppId = "00000002-0000-0000-c000-000000000000";
ResourceAccess =
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "5778995a-e1bf-45b8-affa-663a9f3f4d04";
Type = "Role"},
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "a42657d6-7f20-40e3-b6f0-cee03008a62a";
Type = "Scope"},
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6";
Type = "Scope"}
}
$graphAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
## Microsoft Graph
ResourceAppId = "00000003-0000-0000-c000-000000000000";
ResourceAccess =
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "bf394140-e372-4bf9-a898-299cfc7564e5";
Type = "Role"},
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "7ab1d382-f21e-4acd-a863-ba3e13f7da61";
Type = "Role"}
}
$partnerCenterAppAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
## Partner Center
ResourceAppId = "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd";
ResourceAccess =
[Microsoft.Open.AzureAD.Model.ResourceAccess]@{
Id = "1cebfa2a-fb4d-419e-b5f9-839b4383e05a";
Type = "Scope"}
}
#endregion
#region Create Azure AD Application
# Create Application
$SessionInfo = Get-AzureADCurrentSessionInfo
$AzureADAPP = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName $DisplayName -IdentifierUris "https://$($SessionInfo.TenantDomain)/$((New-Guid).ToString())" -RequiredResourceAccess $adAppAccess, $graphAppAccess, $partnerCenterAppAccess -ReplyUrls @("urn:ietf:wg:oauth:2.0:oob","https://localhost","http://localhost","http://localhost:8400")
# Create Application Secret & Service Principal - Used to grant consent
$AppSecret = New-AzureADApplicationPasswordCredential -ObjectId $AzureADAPP.ObjectId
$SPN = New-AzureADServicePrincipal -AppId $AzureADAPP.AppId -DisplayName $DisplayName
# Creating the App takes a while
Start-Sleep -Seconds 30
# Add the Service Principal to AdminAgents
$AdminAgents = Get-AzureADGroup -Filter "DisplayName eq 'AdminAgents'"
Add-AzureADGroupMember -ObjectId $AdminAgents.ObjectId -RefObjectId $SPN.ObjectId
#endregion
#region consent
# Create Credential
$AppSecretSecure = $AppSecret.value | ConvertTo-SecureString -asPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($($AzureADAPP.AppId),$AppSecretSecure)
# Token &
$refreshToken = New-PartnerAccessToken -ApplicationId $AzureADAPP.AppId -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation' -ServicePrincipal -Credential $credential -Tenant $SPN.AppOwnerTenantID -UseAuthorizationCode
$Exchangetoken = New-PartnerAccessToken -ApplicationId 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -Scopes 'https://outlook.office365.com/.default' -Tenant $SPN.AppOwnerTenantID -UseDeviceAuthentication
## Consent Permission
Write-Host "Go to https://portal.azure.com > $DisplayName > API Permissions > Grant Admin Consent" -ForegroundColor Yellow
write-host "Press any key after consent (when all checks are green :))" -ForegroundColor Yellow
[void][System.Console]::ReadKey($true)
#endregion
## INFO ##
Write-Host
Write-Host "You should store all the information below in an Azure Key Vault!" -ForegroundColor Yellow
Write-Host "You should store all the information below in an Azure Key Vault!" -ForegroundColor Yellow
Write-Host "You should store all the information below in an Azure Key Vault!" -ForegroundColor Yellow
Write-Host
Write-Host "Application (client) ID:`t`t" $AzureADAPP.AppId -ForegroundColor Green
Write-Host "Applicatoin secret:`t`t" $AppSecret.Value -ForegroundColor Green
Write-Host "Tenant ID:`t`t" $SPN.AppOwnerTenantID -ForegroundColor Green
write-host "RefreshToken:`t`t" $refreshToken.refreshtoken -ForegroundColor Magenta
write-host "Exchange RefreshToken:`t`t" $ExchangeToken.Refreshtoken -ForegroundColor Magenta
Write-Host
Write-Host "You should store all the information above in an Azure Key Vault!" -ForegroundColor Yellow
Write-Host "You should store all the information above in an Azure Key Vault!" -ForegroundColor Yellow
Write-Host "You should store all the information above in an Azure Key Vault!" -ForegroundColor Yellow
[…] Previous post: Secure Application Model – Azure AD Application […]