Skip to content

Commit c1116e1

Browse files
authored
Merge pull request #26276 from SteveMutungi254/docs-editor/auth-cloudsolutionprovider-1739905199
CSP - Manage app access - Removing Azure AD PowerShell references
2 parents 6ee9caa + 5e14ff4 commit c1116e1

File tree

1 file changed

+16
-17
lines changed

1 file changed

+16
-17
lines changed

concepts/auth-cloudsolutionprovider.md

Lines changed: 16 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@ description: "This article describes how to enable application access to partner
44
author: koravvams
55
ms.localizationpriority: high
66
ms.subservice: "partner-customer-administration"
7-
ms.custom: graphiamtop20, has-azure-ad-ps-ref
8-
ms.date: 11/07/2024
7+
ms.custom: graphiamtop20, no-azure-ad-ps-ref
8+
ms.date: 02/19/2025
99
---
1010

1111
# Call Microsoft Graph from a Cloud Solution Provider application
@@ -16,17 +16,16 @@ This article describes how to enable application access to partner-managed custo
1616

1717
> [!IMPORTANT]
1818
> Calling Microsoft Graph from a CSP application is only supported for directory resources (such as **user**, **group**,**device**, **organization**) and [Intune](/graph/api/resources/intune-graph-overview) resources.
19-
>
2019
2120
## What is a partner-managed application
2221

2322
The CSP program enables Microsoft's partners to resell and manage Microsoft Online Services (such as Microsoft 365, Microsoft Azure, and CRM Online) to customers. Management of customer services is done through Delegated Admin Privileges, which enables designated partner users (known as agents) to access and configure their customers' environments.
2423

2524
Additionally, as a partner developer, you can build a **partner-managed app** to manage your customers' Microsoft services. Partner-managed apps are often called *preconsented* apps because all your customers are automatically preconsented for your partner-managed apps. This means when a user from one of your customer tenants uses one of your partner-managed apps, the user can use it without being prompted to give consent. Partner-managed apps also inherit Delegated Admin Privileges, so your partner agents can also get privileged access to your customers through your partner-managed application.
2625

27-
## How to set-up a partner-managed application
26+
## How to set up a partner-managed application
2827

29-
An application is viewed as *partner-managed* when it is granted elevated permissions to access your customers' data.
28+
An application is *partner-managed* when it has elevated permissions to access customer data.
3029

3130
> **Note:** Partner-managed apps can *only* be configured on Partner tenants, and in order to manage customer tenant resources, partner-managed apps **must** be configured as **multi-tenant applications**.
3231
@@ -39,34 +38,32 @@ The initial steps required here follow most of the same steps used to register a
3938

4039
### Preconsent your app for all your customers
4140

42-
Finally grant your partner-managed app those configured permissions for all your customers. You can do this by adding the **servicePrincipal** that represents the app to the *Adminagents* group in your Partner tenant, using [Azure AD PowerShell V2](https://www.powershellgallery.com/packages/AzureAD) or [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation). Follow these steps to find the *Adminagents* group, the **servicePrincipal** and add it to the group.
41+
Finally grant your partner-managed app those configured permissions for all your customers. You can do this by adding the **servicePrincipal** that represents the app to the *Adminagents* group in your Partner tenant, using [Microsoft Entra PowerShell](/powershell/entra-powershell/installation) or [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation). Follow these steps to find the *Adminagents* group, the **servicePrincipal** and add it to the group.
4342

44-
[!INCLUDE [Azure AD PowerShell deprecation note](~/../reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
45-
46-
# [Azure AD PowerShell](#tab/azuread)
43+
# [Microsoft Entra PowerShell](#tab/entraps)
4744

4845
1. Open a PowerShell session and connect to your partner tenant by entering your admin credentials into the sign-in window.
4946

5047
```PowerShell
51-
Connect-AzureAd
48+
Connect-Entra
5249
```
5350
5451
2. Find the group that represents the *Adminagents*.
5552
5653
```PowerShell
57-
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
54+
$group = Get-EntraGroup -Filter "displayName eq 'Adminagents'"
5855
```
5956
6057
3. Find the service principal that has the same *appId* as your app.
6158
6259
```PowerShell
63-
$sp = Get-AzureADServicePrincipal -Filter "appId eq '{yourAppsAppId}'"
60+
$sp = Get-EntraServicePrincipal -Filter "appId eq '{yourAppsAppId}'"
6461
```
6562
6663
4. Finally, add the service principal to the *Adminagents* group.
6764
6865
```PowerShell
69-
Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId
66+
Add-EntraGroupMember -GroupId $group.Id -MemberId $sp.Id
7067
```
7168
7269
# [Microsoft Graph PowerShell](#tab/graphpowershell)
@@ -94,6 +91,7 @@ Finally grant your partner-managed app those configured permissions for all your
9491
```PowerShell
9592
New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $sp.Id
9693
```
94+
9795
----
9896
9997
## Token acquisition flows
@@ -128,15 +126,16 @@ This is a standard [authorization code grant flow](/azure/active-directory/devel
128126
```
129127
130128
## Register your app in the regions you support
129+
131130
<a name="region"></a>
132131
133-
CSP customer engagement is currently limited to a single region. Partner-managed applications carry the same limitation. This means you must have a separate tenant for each region you sell in. For example, if your partner-managed app is registered in a tenant in the US but your customer is in the EUthe partner-managed app will not work. Each of your regional partner tenants must maintain their own set of partner-managed apps to manage customers within the same region. This might require additional logic in your app (prior to sign-in) to get your customers' sign-in username to decide which region-specific partner-managed app identity to use, to serve the user.
132+
CSP customer engagement is currently limited to a single region. Partner-managed applications carry the same limitation. This means you must have a separate tenant for each region you sell in. For example, if your partner-managed app is registered in a tenant in the US but your customer is in the EU, the partner-managed app doesn't work. Each of your regional partner tenants must maintain their own set of partner-managed apps to manage customers within the same region. This might require additional logic in your app (prior to sign-in) to get your customers' sign-in username to decide which region-specific partner-managed app identity to use, to serve the user.
134133
135134
## Calling Microsoft Graph immediately after customer creation
136135
137-
When you create a new customer using the [Partner Center API](/partner-center/developer/create-a-customer), a new customer tenant gets created. Additionally, a partner relationship also gets created, which makes you the partner of record for this new customer tenant. This partner relationship can take up to 3 minutes to propagate to the new customer tenant. If your app calls Microsoft Graph straight after creation, your app will likely receive an access denied error. A similar delay may be experienced when an existing customer accepts your invitation. This is because preconsent relies on the partner relationship being present in the customer tenant.
136+
When you create a new customer using the [Partner Center API](/partner-center/developer/create-a-customer), a new customer tenant gets created. Additionally, a partner relationship also gets created, which makes you the partner of record for this new customer tenant. This partner relationship can take up to three minutes to propagate to the new customer tenant. If your app calls Microsoft Graph straight after creation, your app will likely receive an access denied error. A similar delay might be experienced when an existing customer accepts your invitation. This is because preconsent relies on the partner relationship being present in the customer tenant.
138137
139-
To avoid this problem, we recommend that your partner app should wait **three minutes** after customer creation before calling Microsoft Entra ID to acquire a token (to call Microsoft Graph). This should cover most cases.
138+
To avoid this problem, we recommend that your partner app should wait **three minutes** after customer creation before calling Microsoft Entra ID to acquire a token (to call Microsoft Graph). This should cover most cases.
140139
However, if after waiting three minutes you still receive an authorization error, please wait an extra 60 seconds and try again.
141140
142-
> **Note:** On the retry, you must acquire a new access token from Microsoft Entra ID, before calling Microsoft Graph. Calling Microsoft Graph with the access token you already have will not work, because the access token is good for an hour and won't contain the pre-consented permission claims.
141+
> **Note:** On the retry, you must acquire a new access token from Microsoft Entra ID, before calling Microsoft Graph. Calling Microsoft Graph with the access token you already have doesn't work, because the access token is good for an hour and doesn't contain the pre-consented permission claims.

0 commit comments

Comments
 (0)