oAuth v2.0 - Connecting to the PartnerCenter

Hi!
I’m trying to connect to the partnercenter with the fancy new JWT token avaliable through 2.8.2, awesome feature.

However, i seem to be unable to add the “https://api.partnercenter.microsoft.com” to the -resource param of New-UDAuthenticationMethod

The documentation doesn’t seem to be up to par with the new changes. Is the -resource param a strict string, or array of strings?

Whenever i try to pass both the “https://api.partnercenter.microsoft.com” and the “https://management.azure.com” to the auth policy, UD doesn’t store any auth results. IE $User is empty, and there is no Authpolicies being processed.

image851×607 14.5 KB

Anyone have the PartnerCenter module working in UD?

Sorry about the docs…

This is how I’m calling it in my tests. I haven’t tried for PartnerCenter.

$AuthenticationMethod = New-UDAuthenticationMethod -ResponseType 'id_token token' -ClientSecret 'redacted' -ClientId 'redacted' -Authority 'https://login.microsoftonline.com/tenant' -Resource 'https://graph.windows.net' -PassThru

'tis fine bro!

Does the -resource param take array of strings, or is it limited to one resource?

Doing something like this:
-Resource ‘https://graph.windows.net’, ‘https://api.partnercenter.microsoft.com/’

Makes the auth behave weird.
My “user info modal” is empty:

image1049×222 3.94 KB

It just takes a single resource at the moment. I’m not sure if we can specify multiple there or not due to the implementation of the Auth2.0 provider but could look into that if you need to get tokens for multiple services.

It would be handy,
As of now, the partnercenter module can connect, with the graph api. However trying to run any partnerrelated commands fail.
Replicated this by copying the Accesstoken to a console, and logged in. “Access denied”.

Either that, or i need to use the first token, to generate a partner token. Might be
Let me get back to you wether this is required or not.

Hey Guys,

I’m doing the same thing with CSP and UD - What I ended up doing is building some cmdlets that would auth to the CSP Partner Center - Also Since CSP has moved to the Secure Auth Model you will also need a service principal created and provide the consented permissions in the Graph.

For me, because UD Auth is different then CSP Auth, I have a refresh_token that is used to generate the token and auth to CSP, Graph, and ARM.

Also, your scope will need to include user_impersonation

So to get my CSP Bearer Token (Don’t mind the $ENV: Variables, I run UD in a Web App)

$AuthBody = @{
 'scope' = 'https://api.partnercenter.microsoft.com/user_impersonation+offline_access+openid+profile'
 'client_id' = $($ENV:CSPAppId)
 'client_secret' = $($ENV:CSPAppSecret)
 'grant_type' = 'refresh_token'
 'refresh_token' = $($ENV:CSPRefreshToken)
 }

$GraphToken = (Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$($ENV:CSPTenant)/oauth2/token" -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody).access_token

From here I can now POST/GET to the api.pertnercenter API to retrieve/update CSP Information.

Just remember in Azure there are a ton of scopes/resources you must use in order to create the Access Token with the correct “audience” or it will fail. You cannot POST to the OAuth2 Token API using multiple scopes/resources, each will need their own API call to retrieve the token. If we could have UD take in an array of the scopes and Auth using the First resource/scope, but then do something fancy on the backend to auth to the other resources without going through 5 login pages.

Graph: ‘scope’ = ‘https://graph.microsoft.com/.default’
ARM: ‘resource’ = ‘https://management.core.windows.net/’
CSP: ‘scope’ = ‘https://api.partnercenter.microsoft.com/user_impersonation+offline_access+openid+profile’

Thanks @mylabonline!
The partner center has function to fetch these CSP folkens, ill give it a go and shout if i get stuck