Register a SaaS application
This article explains how to register a SaaS application using the Microsoft Azure portal and how to get publisher's access token (Microsoft Entra access token). The publisher will use this token to authenticate the SaaS application by calling the SaaS Fulfillment APIs. The Fulfillment APIs use the OAuth 2.0 client credentials to grant flow on Microsoft Entra ID (v2.0) endpoints to make a service-to-service access token request.
Azure Marketplace does not impose any constraints on the authentication method that your SaaS service uses for end users. The flow below is required only for authenticating the SaaS Service in Azure Marketplace.
For more information about Microsoft Entra ID (Active Directory), see What is authentication.
Register a Microsoft Entra ID-secured app
Any application that wants to use the capabilities of Microsoft Entra ID must first be registered in a Microsoft Entra tenant. This registration process involves giving Microsoft Entra some details about your application. To register a new application using the Azure portal, perform the following steps:
Sign in to the Azure portal.
If your account gives you access to more than one, select your account in the top-right corner. Then set your portal session to the desired Microsoft Entra tenant.
In the left-hand navigation pane, select the Microsoft Entra ID service, select App registrations, and then select New application registration.
On the Create page, enter your application's registration information:
Name: Enter a meaningful application name
Supported account types:
Select Accounts in this organizational directory only (single tenant).
When finished, select Register. Microsoft Entra ID assigns a unique Application ID to your new application. You must register one app that accesses the API only, and as single tenant.
To create client secret, navigate to Certificates & secrets page and select +New client secret. Be sure to copy the secret value to use it in your code.
The Microsoft Entra app ID is associated to your publisher ID, so make sure that the same app ID is used in all your offers.
Note
If the publisher has two or more different accounts in Partner Center, the Microsoft Entra app registration details can be used in one account only. Using the same tenant ID, app ID pair for an offer under a different publisher account isn't supported.
Note
You must create service principal of the registered app in the tenant which you use to create tokens against. Please see this documentation How to create Service Principal for an App registration.
How to get the publisher's authorization token
After you register your application, you can programmatically request the publisher's authorization token (Microsoft Entra access token, using Azure AD v2 endpoint). The publisher must use this token when calling the various SaaS Fulfillment APIs. This token is only valid for one hour.
For more information about these tokens, see Microsoft Entra access tokens. In the flow below V2 endpoint token is used.
Get the token with an HTTP POST
HTTP Method
Post
Request URL
https://login.microsoftonline.com/*{tenantId}*/oauth2/v2.0/token
URI parameter
| Parameter name | Required | Description |
|---|---|---|
tenantId |
True | Tenant ID of the registered Microsoft Entra application. |
Request header
| Header name | Required | Description |
|---|---|---|
content-type |
True | Content type associated with the request. The default value is application/x-www-form-urlencoded. |
Request body
| Property name | Required | Description |
|---|---|---|
grant_type |
True | Grant type. Use "client_credentials". |
client_id |
True | Client/app identifier associated with the Microsoft Entra app. |
client_secret |
True | Secret associated with the Microsoft Entra app. |
scope |
True | Target resource for which the token is requested with a default scope. Use 20e940b3-4c77-4b0b-9a53-9e16a1b010a7/.default because Marketplace SaaS API is always the target resource in this case. |
Response
| Name | Type | Description |
|---|---|---|
| 200 OK | TokenResponse | Request succeeded. |
TokenResponse
Sample response:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "0",
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayJ9…"
}
| Element | Description |
|---|---|
access_token |
This element is the <access_token> that you will pass as the authorization parameter when calling all SaaS fulfillment and Marketplace metering APIs. When calling a secured REST API, the token is embedded in the Authorization request header field as a "bearer" token, allowing the API to authenticate the caller. |
expires_in |
The number of seconds the access token continues to be valid, before expiring, from time of issuance. Time of issuance can be found in the token's iat claim. |
expires_on |
The timespan when the access token expires. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's exp claim). |
token_type |
The type of token, which is a "Bearer" access token, which means the resource can give access to the bearer of this token. |
Related content
Your Microsoft Entra ID-secured app can now use the SaaS Fulfillment Subscription APIs Version 2 and SaaS Fulfillment Operations APIs Version 2.
Video tutorials