Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to register a SaaS application using the Microsoft Azure portal and how to get publisher's access token (Microsoft Entra access token). The publisher will use this token to authenticate the SaaS application by calling the SaaS Fulfillment APIs. The SaaS Fulfillment APIs use the OAuth 2.0 client credentials to grant flow on Microsoft Entra ID (v2.0) endpoints to make a service-to-service access token request.
Azure Marketplace doesn't impose any constraints on the authentication method that your SaaS service uses for end users. The flow below is required only for authenticating the SaaS Service in Azure Marketplace.
For more information about Microsoft Entra ID (Active Directory), see What is authentication.
Register a Microsoft Entra ID-secured app
Any application that wants to use the capabilities of Microsoft Entra ID must first be registered in a Microsoft Entra tenant. This registration process involves giving Microsoft Entra some details about your application. To register a new application using the Azure portal, perform the following steps:
Sign in to the Azure portal.
If your account gives you access to more than one, select your account in the top-right corner. Then set your portal session to the desired Microsoft Entra tenant.
In the left-hand navigation pane, select the Microsoft Entra ID service, select App registrations, and then select New application registration.
On the Create page, enter your application's registration information:
Name: Enter a meaningful application name
Supported account types:
Select the option that is appropriate for your offer.
When finished, select Register.
To create client secret, navigate to Certificates & secrets page and select +New client secret. Be sure to copy the secret value to use it in your code.
Note
You must generate tokens using the same Entra tenant ID and Entra application ID that you specified in the Partner Center Technical Configuration page of the offer.
Microsoft recommends setting your app as single tenant access. If you must select the multitenant access option for your app, Microsoft strongly recommends configuring an app instance lock.
You must not enable the Allow public client flows setting in Azure AD app registration, learn more.
How to get the publisher's authorization token
After you register your application, you can programmatically request the publisher's authorization token (Microsoft Entra access token, using Azure AD v2 endpoint). The publisher must use this token when calling the various SaaS Fulfillment APIs. This token is only valid for one hour.
For more information about these tokens, see Microsoft Entra access tokens. In the flow below V2 endpoint token is used.
Get the token with an HTTP POST
HTTP Method
Post
Request URL
https://login.microsoftonline.com/*{tenantId}*/oauth2/v2.0/token
URI parameter
| Parameter name | Required | Description |
|---|---|---|
tenantId |
True | Tenant ID of the registered Microsoft Entra application. |
Request header
| Header name | Required | Description |
|---|---|---|
content-type |
True | Content type associated with the request. The default value is application/x-www-form-urlencoded. |
Request body
| Property name | Required | Description |
|---|---|---|
grant_type |
True | Grant type. Use "client_credentials". |
client_id |
True | Client/app identifier associated with the Microsoft Entra app. |
client_secret |
True | Secret associated with the Microsoft Entra app. |
scope |
True | Target resource for which the token is requested with a default scope. Use 20e940b3-4c77-4b0b-9a53-9e16a1b010a7/.default because Marketplace SaaS API is always the target resource in this case. |
Response
| Name | Type | Description |
|---|---|---|
| 200 OK | TokenResponse | Request succeeded. |
TokenResponse
Sample response:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "0",
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayJ9…"
}
| Element | Description |
|---|---|
access_token |
This element is the <access_token> that you'll pass as the authorization parameter when calling all SaaS fulfillment and Marketplace metering APIs. When calling a secured REST API, the token is embedded in the Authorization request header field as a "bearer" token, allowing the API to authenticate the caller. |
expires_in |
The number of seconds the access token continues to be valid, before expiring, from time of issuance. Time of issuance can be found in the token's iat claim. |
expires_on |
The timespan when the access token expires. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's exp claim). |
token_type |
The type of token, which is a "Bearer" access token, which means the resource can give access to the bearer of this token. |
Related content
Your Microsoft Entra ID-secured app can now use the SaaS Fulfillment Subscription APIs Version 2 and SaaS Fulfillment Operations APIs Version 2.
Video tutorials