Register a SaaS application

This article explains how to register a SaaS application using the Microsoft Azure portal and how to get publisher's access token (Microsoft Entra access token). The publisher will use this token to authenticate the SaaS application by calling the SaaS Fulfillment APIs. The Fulfillment APIs use the OAuth 2.0 client credentials to grant flow on Microsoft Entra ID (v2.0) endpoints to make a service-to-service access token request.

Azure Marketplace does not impose any constraints on the authentication method that your SaaS service uses for end users. The flow below is required only for authenticating the SaaS Service in Azure Marketplace.

For more information about Microsoft Entra ID (Active Directory), see What is authentication.

Register a Microsoft Entra ID-secured app

Any application that wants to use the capabilities of Microsoft Entra ID must first be registered in a Microsoft Entra tenant. This registration process involves giving Microsoft Entra some details about your application. To register a new application using the Azure portal, perform the following steps:

  1. Sign in to the Azure portal.

  2. If your account gives you access to more than one, select your account in the top-right corner. Then set your portal session to the desired Microsoft Entra tenant.

  3. In the left-hand navigation pane, select the Microsoft Entra ID service, select App registrations, and then select New application registration.

    Screenshot of a SaaS Entra app registration screen.

  4. On the Create page, enter your application's registration information:

    • Name: Enter a meaningful application name

    • Supported account types:

      Select Accounts in this organizational directory only (single tenant).

  5. When finished, select Register. Microsoft Entra ID assigns a unique Application ID to your new application. You must register one app that accesses the API only, and as single tenant.

  6. To create client secret, navigate to Certificates & secrets page and select +New client secret. Be sure to copy the secret value to use it in your code.

The Microsoft Entra app ID is associated to your publisher ID, so make sure that the same app ID is used in all your offers.

Note

If the publisher has two or more different accounts in Partner Center, the Microsoft Entra app registration details can be used in one account only. Using the same tenant ID, app ID pair for an offer under a different publisher account isn't supported.

Note

You must create service principal of the registered app in the tenant which you use to create tokens against. Please see this documentation How to create Service Principal for an App registration.

How to get the publisher's authorization token

After you register your application, you can programmatically request the publisher's authorization token (Microsoft Entra access token, using Azure AD v2 endpoint). The publisher must use this token when calling the various SaaS Fulfillment APIs. This token is only valid for one hour.

For more information about these tokens, see Microsoft Entra access tokens. In the flow below V2 endpoint token is used.

Get the token with an HTTP POST

HTTP Method

Post

Request URL

https://login.microsoftonline.com/*{tenantId}*/oauth2/v2.0/token

URI parameter
Parameter name Required Description
tenantId True Tenant ID of the registered Microsoft Entra application.
Request header
Header name Required Description
content-type True Content type associated with the request. The default value is application/x-www-form-urlencoded.
Request body
Property name Required Description
grant_type True Grant type. Use "client_credentials".
client_id True Client/app identifier associated with the Microsoft Entra app.
client_secret True Secret associated with the Microsoft Entra app.
scope True Target resource for which the token is requested with a default scope. Use 20e940b3-4c77-4b0b-9a53-9e16a1b010a7/.default because Marketplace SaaS API is always the target resource in this case.
Response
Name Type Description
200 OK TokenResponse Request succeeded.
TokenResponse

Sample response:

{
      "token_type": "Bearer",
      "expires_in": "3600",
      "ext_expires_in": "0",
      "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayJ9…"
  }
Element Description
access_token This element is the <access_token> that you will pass as the authorization parameter when calling all SaaS fulfillment and Marketplace metering APIs. When calling a secured REST API, the token is embedded in the Authorization request header field as a "bearer" token, allowing the API to authenticate the caller.
expires_in The number of seconds the access token continues to be valid, before expiring, from time of issuance. Time of issuance can be found in the token's iat claim.
expires_on The timespan when the access token expires. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's exp claim).
token_type The type of token, which is a "Bearer" access token, which means the resource can give access to the bearer of this token.

Your Microsoft Entra ID-secured app can now use the SaaS Fulfillment Subscription APIs Version 2 and SaaS Fulfillment Operations APIs Version 2.

Video tutorials