locked
MFA requirement - what about automatic provisioning? RRS feed

  • Question

  • Hello,

    We are using the Partner Center API for provisioning new users to Office 365, after they order this on our website. Today, this provisioning is 100% automated.

    Some of the steps performed during said provisioning is creating new user accounts, and assigning the purchased licenses to these users. However, these steps require App+User authentication, so with the upcoming changes, MFA would be required to do this.

    From my understanding, MFA will always require some human interaction, through getting a code via SMS/App/phone call. However, this would mean that every future order we receive for Office 365 must be processed manually, to get the users created and their licenses set up. Not to mention that a rather significant redesign of our internal services and workflows would be required.

    Have I understood this correctly, or am I missing something? Is it possible to achieve App+User authentication without human interaction when the MFA requirement is enforced? 

    Thanks a lot for your help.

    Wednesday, January 23, 2019 8:39 AM

Answers

  • Hi,

    The Multi-Factor Authentication(MFA) works by requiring two or more of the following authentication methods:

    • Something you know (typically a password)
    • Something you have (a trusted device that is not easily duplicated, like a phone)
    • Something you are (biometrics)

    So, we need human interaction when using MFA.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

    Best Regards,

    Dennis


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    • Marked as answer by Hogne Vevle Thursday, January 24, 2019 8:51 AM
    Thursday, January 24, 2019 8:46 AM

All replies

  • Hi,

    Please check the official article below.

    https://docs.microsoft.com/en-us/partner-center/develop/partner-center-authentication?tabs=dotnet-app-only%2Cdotnet-partner-consent%2Cdotnet-csp-auth%2Cdotnet-cpv-auth

    If you want to authenticate Cloud Solution Provider (CSP) using multi-factor authentication (MFA), the following example for your reference.

    https://github.com/Microsoft/Partner-Center-DotNet-Samples/blob/master/secure-app-model/keyvault/CSPApplication/Program.cs

    Best Regards,

    Dennis


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Thursday, January 24, 2019 8:25 AM
  • Thanks Dennis, but I've already read through the documentation and the sample applications. 

    From my understanding, every action requiring App+User authentication will in the future require some human interaction via MFA (which will provide the refresh token). As the requirement of human interaction isn't compatible with our current provisioning process, I would appreciate a confirmation or disconfirmation to my question; Is it possible to achieve App+User authentication without human interaction when the MFA requirement is enforced?  Simply a yes or no would suffice - I just want to be sure that I'm not missing something.

    Also, I still haven't been approved to access the Yammer space, as referenced in the documentation. All I get is: 

    Your request has been submitted to an admin for approval.

    This has been the case for several days now (since Monday), and is quite concerning for us, as the MFA enforcement date approches.






    • Edited by Hogne Vevle Thursday, January 24, 2019 8:47 AM
    Thursday, January 24, 2019 8:34 AM
  • Hi,

    The Multi-Factor Authentication(MFA) works by requiring two or more of the following authentication methods:

    • Something you know (typically a password)
    • Something you have (a trusted device that is not easily duplicated, like a phone)
    • Something you are (biometrics)

    So, we need human interaction when using MFA.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

    Best Regards,

    Dennis


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    • Marked as answer by Hogne Vevle Thursday, January 24, 2019 8:51 AM
    Thursday, January 24, 2019 8:46 AM
  • In case somebody else is finding themselves here as well: 

    The one key factor that I was unaware of, is that the refresh tokens have a 90 day rolling expiration. Thus, as long as they are used regularly, they would basicly never expire. As far as I could see, the docs fail to mention this, so I was assuming that these tokens were short-lived. This was the reason for my confusion.

    All good now.

    Thursday, January 31, 2019 8:23 AM