Get 3P User Token

To achieve 3P Direct User Authentication, it is necessary to request a user access token through your instance of Microsoft Entra ID. To complete this, you must perform a login request to your Microsoft Entra endpoint with the proper parameters for the Business Assist API.

You can use Direct user login if you want to test and validate the connections, or you can use the 3P app user token in Postman to integrate with the API.

3P Direct User Login URL

Authentication to the BA API is required to successfully complete requests in any of the APIs so you must request a bearer token to make subsequent calls to the Business Assist API with Postman. To retrieve this token, perform the following:

1. In a new browser window, navigate to the following URL:

   • https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=2b8844d8-6c87-4fce-97a0-fbec9006e140&response_type=code&redirect_url=https://assist.microsoft.com/authenticate&response_mode=query&scope=2b8844d8-6c87-4fce-97a0-fbec9006e140/.default&state=12345

     • This URL prompts the user to log in to Microsoft Entra ID using the following parameters:

       • client_id=2b8844d8-6c87-4fce-97a0-fbec9006e140 – This is the application ID for the Business Assist API.
       • response_type=code
       • response_mode=query
       • redirect_url=https://assist.microsoft.com/authenticate – The Business Assist API authentication
       • scope=2b8844d8-6c87-4fce-97a0-fbec9006e140/.default – The default permission scope for the Business Assist API
       • state=12345 – A generic required parameter for Microsoft Entra authentication

Note: If the scope is wrong, then you will not be able to authenticate and may receive an error.

1. Log in using your Microsoft Entra credentials for your tenant.

2. Once the login process has completed, you will be provided with the 3P Direct User Login token in the browser window. Record a note of the token that was returned as this will be the Bearer Token that is required to communicate with any of the Business Assist APIs.

3P App User Token using Postman

The 3P App User token approach allows you to generate a BA API user token that will contain the necessary audience claim for BA API authorization and includes App ID and Tenant ID claims that are specific to your 3P App Registration configuration.

Note: If you have not yet configured a 3P App Registration for the Business Assist API within your tenant, refer to the documentation at Register with Azure to configure the app instance. The 3P App Registration must be completed before the 3P App User Token approach will generate user tokens.

1. Using Postman, create a new POST request using the URI of https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/token and replace the {{tenantId}} with the ID of your Azure tenant.

2. Within the Body tab, select x-www-form-urlencoded as the body type.

3. Enter the following Key / Value pairs within the body tab:

   a. scope - https://business-assist.microsoft.com/.default

   b. client_id - {Your App's ID}

   c. client_secret -{Your Client Secret}

   d. username - {Your Username}

   e. password - {Your Password}

   f. grant_type - password

4. Select Send.

5. Within the Response of the request, take note of the User Token that is provided. Save this token for use later in this document.

Note: If you're interested in viewing the claims that are present in the 3P Direct User token, go to https://jwt.ms and enter your token contents in the upper text area. The claims of the token are decoded below it.

Next steps

Use your access token to query the Business Assist API endpoints:

• Forecast API How To
• SelfHelp API How To