How can a CSP reseller programmatically access to his customer’s tenant?

MS CSP program helps you grow your business. There are 2 tiers and 3 roles in csp model. Today i will firstly describe how these roles work since it’s not obvious for some csp partner. Afterwards i will expound how an indirect reseller access his customer’s tenant.


CSP direct and CSP indirect

There are two different business models in the CSP program: CSP direct (one tier) and CSP indirect (two tiers).

CSP direct (Tier 1) partners work with Microsoft directly. They take on the entire customer relationship, including support, billing, and invoicing. CSP direct partners are responsible for customer support. Microsoft doesn’t provide support for CSP customers. So if you want to be a direct csp partner, you will be required to invest in the support and billing.

CSP indirect

The CSP indirect model (Tier 2) defines two types of partners: CSP indirect providers (distributors) and CSP indirect resellers. CSP indirect providers work with Microsoft directly, but reach customers indirectly through their partner channel, CSP resellers.

CSP indirect reseller is a good choice for partners who don’t want to manage as much infrastructure as an CSP direct partner, so they team up with an indirect provider to handle their support, billing, and invoicing needs. They still build strong relationships with the customer and get many of the benefits of the CSP program, but they offload support and billing to CSP indirect providers.

Both of them are able to access Partner Center but only CSP direct partner and CSP direct provider can unitize the partner center api. It comes with an issue : how can an indirect reseller access his customer’s tenant?

The main infrastructure of privilege management is based on Azure AD. There are 2 types of directories in CSP – Partner directory and Customer directory. Each CSP Partner authenticates on Partner Center portal using its Azure AD directory. CSP partner can create a new customer (in fact, it will create a new tenant) in the partner center or they can establish partner relationship with an existing tenant.

Partner relationship indeed is that the CSP partner has delegate access permission (DAP) to his customer’s tenant. One point I must figure out is that not all employees in csp partner tenant have this DAP. In this scenario, We divide them into four categories :

  • Regular user: this kind of user has no right to manage customer
  • Admin agents: user will be able to manage customer especially subscription management
  • Sales agents: user will be able to manage customer subscriptions and billing, but won’t be able to manage Customer’s services
  • Helpdesk agents: user won’t be able to manager Customer subscriptions. His role is similar to password admin.

User in the above role management group (in Azure portal , it will be security group) will automatically be granted the corresponding permission. Besides, the Admin agents object has a foreign Principal (named Foreign Principal for ‘xxxx”) in customer tenant which is provisioned with an owner role.

With this special delegate privilege, the reseller can access the customer’s tenant.

Login the customer’s tenant:

  • Login Azure portal:{tenant_id/tenant_name}
  • login office admin center:{tenant_id}&CSDEST=homepage

using PowerShell:

//Get all users for a tenant
Get-MsolUser -TenantID <customer Tenant_id value>
//Connect to exchange online via PowerShell with DAP
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri<customer tenant domain name>-Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session
//invoke MSonline service
Get-MsolAccountSku -TenantId <customer tenant_id>

Using office rest api to access customer’s tenant:

Register and configure a multi-tenant app

The initial steps required here follow most of the same steps used to register and configure a multi-tenant application:

  1. Register your application in your Partner tenant using the Azure Portal. To function as a partner-managed app, an application must be configured as a multi-tenant app. Additionally, if your app is deployed and sold in multiple geographic regions you will need to register your app in each of those regions as described here.
  2. Configure your multi-tenant app, again through the Azure Portal, with the required permissionsit needs using a least privileged approach.


Pre-consent your app for all your customers

Finally grant your partner-managed app those configured permissions for all your customers. You can do this by adding the ServicePrincipal that represents the app to the Admin agents group in your Partner tenant, using Azure AD powershell V2. You can download and install Azure AD PowerShell V2 from here. Follow these steps to find the Admin agents group, the ServicePrincipal and add it to the group.

  1. Open a PowerShell session and connect to your partner tenant by entering your admin credentials into the sign-in window.
  1. Find the group that represents the Admin agents.
$group = Get-AzureADGroup -Filter "displayName eq 'Adminagents'"
  1. Find the service principal that has the same appIdas your app.

$sp = Get-AzureADServicePrincipal -Filter “appId eq ‘{yourAppsAppId}'”

  1. Finally, add the service principal to the Admin agents

Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId $sp.ObjectId

Here I use OAuth password flow  as an example:

POST{customer tenant_name/tenant_id}/oauth2/token  HTTP/1.1
Payload: resource={registered_app_id}&grant_type=password&username={csp partner UPN}&password={password}&scope=openid

the result will comes with an access token:

Now with the access token, you can easily access customer’s tenant.


Leave a Reply

Your email address will not be published. Required fields are marked *