locked
Details for Graph API for CSP right now to manage customers RRS feed

  • Question

  • We are in the CSP API TAP program. We understand that the GRAPH API will honor the delegated admin relationship soon, but also understand there may be a way that we can use the GRAPH API right now to manage customers. Please provide the details on how to do this.
    Thursday, June 4, 2015 2:00 PM

All replies

  • Any guidance/ appreciated please.
    Friday, June 5, 2015 2:13 PM
  • Hi Steve,

    Sorry for the slow response. Graph API is the public API for managing Azure AD. The way Graph API works for partners is no different than for ISVs. Partners will have to create an Azure AD application. Details about Azure AD application model is available here.

    Specific to partners, I think there are 3 main scenarios where Graph API comes into play, including:

    1. You want to retrieve the list of existing customers from Azure AD. For this, you just need to write a Single-Tenant application (since the application only needs to run against your own partner tenant) reading Contract objects.
    2. You want to write an interactive, self-service portal for your customers to login to manage their own tenant. Further, you want to provide SSO experience to your customers when they transition from your portal to O365 portal/applications. In this case, you probably want to write a Multi-Tenant application which leverages OAUTH Authorization Code Grant Flow or OpenId Connect, where customers are required to login to your application using their Azure AD credential (aka OrgId or O365 credential).
    3. You want to write a non-interactive, daemon-like application to manage your customers Azure AD. In this case, you probably want to write a Multi-Tenant application which leverages OAUTH Client Credential Auth Flow.


    Wednesday, June 17, 2015 8:47 AM
  • Here's a simple example to illustrate scenario 3. There are 3 broad steps involved:

    Step 1: Register a MT application in your partner tenant

    1. Login to Azure Management Portal using partner tenant admin credential.
    2. If you get an error saying that you do not have a valid Azure subscription, go to http://aka.ms/accessaad to sign up for a $0 Azure subscription. The subscription cannot generate usage and therefore won't cost you anything, but it allows you to login to Azure Management Portal.
    3. Select partner tenant directory.
    4. Click APPLICATIONS (top navigation bar).
    5. Click ADD (bottom).
    6. Select Add an application my organization is developing.
    7. Enter a name for your application.
    8. For Type, select WEB APPLICATION AND/OR WEB API.
    9. Click Next.
    10. Enter a value for SIGN-ON URL. Since we are using Client Credential Auth Flow, this property isn't important. For now, you can use https://localhost.
    11. Enter a value for APP ID URI. This has to be a unique value across all Azure AD applications. To generate a unique URI, you can use the convention https://{your-partner-tenant-domain}/{application-name}.
    12. Click Confirm to create the Application object.
    13. While your application is selected, Click CONFIGURE (top navigation bar).
    14. Note down your CLIENT ID.
    15. Under keys, generate a new key by selecting a validation duration and click SAVE. Note down the key generated. You will not be able to retrieve it anymore after you leave the page.
    16. Set APPLICATION IS MULTI-TENANT to YES.
    17. Under permissions to other applications, there should be one entry for Windows Azure Active Directory. Set Application Permissions to Read directory data. Uncheck all options for Delegated Permissions.
    18. Click SAVE.

    Step 2: Write an Azure AD Graph Application

    The sample application I have here is a really simple application, which attempts to make a Graph query against a test customer tenant.

    1. Create a C# Project for Console Application in Visual Studio.
    2. Using NUGET, search and install Active Directory Authentication Library (stable version).
    3. Copy the following source code into your application.
    4. Replace the first 3 properties based on the test customer tenant domain (which you have access), Application's ClientId and Key.

    using System;
    using Microsoft.IdentityModel.Clients.ActiveDirectory;
    using System.Net;
    using System.IO;
    
    namespace MyMultiTenantTestS2SApp
    {
        class Program
        {
            static void Main(string[] args)
            {
                // Update the following properties which are specific to your test customer tenant and MT application
                string customerTenantDomain = "testtestcustomer01.onmicrosoft.com";
                string clientId = "2bd9cf50-61cd-499b-8c5c-bd3d0650b67f";
                string clientCredential = "yomCcPby8hCEX1YDaaB5dRcmP7puAvheE1wetuXRiAo=";
    
                // Authenticate using client credentials against your customer tenant
                AuthenticationContext authenticationContext = new AuthenticationContext("https://login.windows.net/" + customerTenantDomain);
                AuthenticationResult authenticationResult = authenticationContext.AcquireToken("https://graph.windows.net", new ClientCredential(clientId, clientCredential));
    
                // Construct a Graph request using the auth token received
                HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://graph.windows.net/" + customerTenantDomain + "/tenantDetails?api-version=1.5");
                request.Method = "GET";
                request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + authenticationResult.AccessToken);
                request.ContentType = "application/json";
    
                // Print response
                HttpWebResponse response = (HttpWebResponse)request.GetResponse();
                Console.WriteLine((new StreamReader(response.GetResponseStream())).ReadToEnd());
                Console.ReadLine();
            }
        }
    }

    Step 3: Get customer tenant admin to consent to your application

    In general, you will need to write a web endpoint for customer tenant admin to "login" to your application. As part of login, if Azure AD detects that your application has not been consented to operate in the customer's Azure AD, the Consent dialog will appear to prompt the user to consent to the application. For illustration purpose, I am going to skip the formality of writing this web endpoint. Instead, we will use the following workaround to trigger the Consent dialog for your application...

    1. Start a private browser session.
    2. Enter following URL https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}e&prompt=admin_consent, where {0} needs to be replaced with your MT application Client Id.
    3. When prompted for login, provide the Tenant Admin credential of your test customer tenant.

    Once the consent is in place, you can attempt to compile and run the Console Application to read the tenantDetail of the test customer Azure AD.

    Wednesday, June 17, 2015 9:18 AM
  • Btw, we are working on a feature to remove the need for consent if certain conditions are met. There are some issues which need to fix, but hopefully, we can share details and availability of this feature out in a couple of weeks' time.
    Wednesday, June 17, 2015 9:40 AM
  • Many thanks for the responses, much appreciated.
    Thursday, June 18, 2015 7:26 AM
  • We are unable to create a 0$ subscription as explained in the step 2. What could be the reason? We are using the admin for the test environment

    If you get an error saying that you do not have a valid Azure subscription, go to xxxxxx  to sign up for a $0 Azure subscription. The subscription cannot generate usage and therefore won't cost you anything, but it allows you to login to Azure Management Portal.

    We appreciate your help !

    Monday, July 27, 2015 6:49 PM
  • We are unable to create a 0$ subscription as explained in the step 2. What could be the reason? We are using the admin for the test environment

    If you get an error saying that you do not have a valid Azure subscription, go to xxxxxx  to sign up for a $0 Azure subscription. The subscription cannot generate usage and therefore won't cost you anything, but it allows you to login to Azure Management Portal.

    We appreciate your help !


    Hi Umesh, you can take a look at my response to this thread (https://social.msdn.microsoft.com/Forums/en-US/58e0a416-7449-4146-98fd-ce4b44d59362/unable-to-sign-up-for-0-subscription-need-to-access-graph-api-in-test-environment?forum=partnercenterapi).
    Thursday, August 6, 2015 6:27 PM