This section describes how you can grant consent to the permissions that the Azure CSP application requires, and, as a result, acquire a refresh token for the application instance that belongs to your CSP partner account. This refresh token will be used by the Azure CSP application to make calls to the Partner Center and Graph and ARM APIs on behalf of your CSP partner account.
There are two procedures to grant consent and acquire a refresh token: automatic and manual. You should use the automatic procedure if you have administrative access to your Odin Automation system and your CSP partner account. You should use the manual procedure if you have administrative access to your Odin Automation system but do not have administrative access to your CSP partner account.
Warning: A refresh token has a limited lifetime of 90 days. You must acquire a new refresh token before the current refresh token expires.
Automatic Procedure
To give your consent and acquire a refresh token for the application instance that your CSP partner account belongs to, follow these steps:
-
In the Provider Control Panel, carry out the following steps:
- Go to Services > Applications > Azure Cloud Solution Provider > instance name > Configuration tab > Manage Refresh Token.
- In the Automatic Update group, click Update Refresh Token. The login page of the Microsoft Partner Center will open in a new browser window.
-
In the new browser window, carry out the following steps:
-
Sign in using the credentials of a user that has the Global admin and Admin agent roles.
Note: Multi-Factor Authentication (MFA) must be enabled for the user, as described at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates.
- Click Accept to give your consent to the permissions that the Azure CSP application requires. You will be redirected from the Microsoft Partner Center to a special site.
- On the Partner Onboarding Web Application page of the site, make sure that the acquisition of the refresh token is being performed successfully: there must be a message like The consent has been granted successfully. The authorization code has been sent ... After that, close the new browser window.
-
In the Provider Control Panel, make sure that a message like Your refresh token has been successfully updated is shown.
Manual Procedure
To obtain consent and acquire a refresh token for the application instance that your CSP partner account belongs to, follow these steps:
-
(This step requires administrative access to your Odin Automation installation) In the Provider Control Panel, perform the following:
- Go to Services > Applications > Azure Cloud Solution Provider > instance name > Configuration tab > Manage Refresh Token.
- In the Manual Update group, click Copy to copy the URL shown on the screen.
- Send the URL to a person who has administrative access to your CSP partner account.
-
(This step requires administrative access to your CSP partner account) In a new browser window, perform the following:
- Navigate to the URL that you received. The login page of the Microsoft Partner Center will open.
-
Sign in using the credentials of a user that has the Global admin and Admin agent roles.
Note: Multi-Factor Authentication (MFA) must be enabled for the user, as described at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates.
- In the Microsoft Partner Center, click Accept to give your consent to the permissions that the Azure CSPapplication requires. You will be redirected from the Microsoft Partner Center to a special site.
- On the Partner Onboarding Web Application page of the site, copy and write down the authorization code. After that, close the browser window.
- Send the authorization code to the person who provided you with the URL.
-
(This step requires administrative access to your Odin Automation installation) In the Provider Control Panel, perform the following:
- Go to Services > Applications > Azure Cloud Solution Provider > instance name > Configuration tab > Manage Refresh Token.
- In the Manual Update group, specify the authorization code that you received and click Update.
- Make sure that a message like Your refresh token has been successfully updated is shown.
FAQs
Use a refresh token
To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access token, a new ID token, and the refresh token.
How to refresh multifactor authentication? ›
Basically, to reset your Authenticator app, you need to follow these steps with the admin credentials:
- Go to the Microsoft 365 admin center and sign in with your admin credentials.
- Click on Users > Active users.
- Select your user account and click on Reset multi-factor authentication under More settings.
Best practice
Set the expiration time for refresh tokens in such a way that it is valid for a little longer period than the access tokens. For example, if you set 30 minutes for access token then set (at least) 24 hours for the refresh token.
How do I manage multi-factor authentication? ›
Enable multi-factor authentication for a user
- Log in to your Office 365 Control Panel.
- From the left menu, select Office 365 Admin Center.
- From the top menu, select Multi-factor authentication.
- Select the check box next to the user you need to enable multi-factor authentication for.
- Under quick steps, select Enable.
The steps that should be taken in this case are:
- Stop all requests that failed with Expired Token error.
- Get new Access/Refresh token pair by exchanging our current Refresh Token.
- Retry all requests that we stored.
Store refresh tokens securely
However, local storage does come with some downfalls, including opening yourself up for cross-site scripting attacks. To ensure a higher level of security, storing tokens in server-side storage allows you to encrypt data at rest.
How to update Multi-Factor Authentication? ›
Set up a new MFA method
Enter your account email address and password. Select Sign in. Select MFA recovery process. Follow the prompts to set up your new MFA method.
How do I automate Multi-Factor Authentication? ›
Time-Based One-Time Passwords (TOTP)
- Enable TOTP in the organization settings.
- Prepare Test Users to Use MFA. Every test user needs to be set up to use the correct MFA verification method. ...
- Log In a User with MFA. After the test users have been set up, they can be used for login during the execution of the test suite.
If a refresh token is compromised (someone else got their hands on it or, even worse -- steals it), the individual would not only gain access to the resources provided by the API but also the amount of time the access has been granted would be more. Now that's a dreadful scenario for developers and users alike.
How do you implement refresh token flow? ›
Use the following values to construct the request body:
- grant_type : Set to refresh_token .
- client_id : (required) Set this to the Client ID for your app. ...
- client_secret : (required) Set this to the Secret for your app. ...
- refresh_token : The refresh token that you obtained with your original access token.
Configure in the Dashboard
Select the application you want to configure. Go to the Settings tab. Under Refresh Token Rotation, enable Rotation. Enter Reuse Interval (in seconds) for the refresh token to account for leeway time between request and response before triggering automatic reuse detection.
How do I refresh multi-factor authentication? ›
Go to Services > Azure Partner (NCE) > Manage Refresh Token. In the Manual Update group, specify the authentication code that you received and click Update. Make sure that a message similar to Your refresh token has been successfully updated is shown.
What are the 3 factors of multi-factor authentication? ›
Factors are (i) something you know (e.g., password/personal identification number); (ii) something you have (e.g., cryptographic identification device, token); and (iii) something you are (e.g., biometric).
What 3 methods of multi-factor authentication are supported? ›
Three Main Types of MFA Authentication Methods
- Things you know (knowledge), such as a password or PIN.
- Things you have (possession), such as a badge or smartphone.
- Things you are (inherence), such as a biometric like fingerprints or voice recognition.
Finally, when using refresh tokens, make sure to store them in their own cookies. There is no need to send them with every API request, so ensure that this is not the case. Refresh tokens must only be added when refreshing expired access tokens.
How to store refresh token in memory? ›
Understanding Refresh Tokens
- In Memory (Client-Side): You can store the refresh token in memory variables within your SPA. ...
- Session Storage (Client-Side): ...
- Local Storage (Client-Side): ...
- HTTP-Only Cookies (Client-Side): ...
- IndexedDB/WebSQL (Client-Side): ...
- Secure Cookies with SameSite Attribute (Client-Side):
The refresh token is stored securely on the client side (e.g., in an HTTP-only cookie) and in your backend database.
Should refresh tokens be rotated? ›
Conclusion. Incorporating refresh token rotation and reuse detection into your authentication strategy makes your app more secure.
