Make your first API call
Important
In June 2022, we introduced multi-factor authentication as a requirement for Bing Ads. You may still need to make a code change in order to become compliant with this requirement. Microsoft Advertising is performing technical enforcement checks in early October.
This blog post outlines the steps you should take to ensure compliance.
For more information, see the multi-factor authentication requirement guide.
If you just want to get something working right away, follow these steps to get your Microsoft Advertising user information.
Production Quick Start
To authenticate in the production environment you should first register an application. Sign in with your Microsoft account credentials and grant your app consent to manage your Microsoft Advertising accounts.
- Create a new file and paste into it the following script. Set
$clientId
to the Application Id of your registered app. If you registered a web application with client secret, then you'll also need to include$client_secret=YourWebAppClientSecret
when requesting the access tokens.
Note
Replace your_client_id below with the application (client) ID that the Azure portal - App registrations portal assigned your app.
# Replace your_client_id with your registered application ID.
$clientId = "your_client_id"
Start-Process "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=$clientId&scope=openid%20profile%20https://ads.microsoft.com/msads.manage%20offline_access&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&state=ClientStateGoesHere&prompt=login"
$code = Read-Host "Grant consent in the browser, and then enter the response URI here:"
$code = $code -match 'code=(.*)\&'
$code = $Matches[1]
# Get the initial access and refresh tokens.
$response = Invoke-WebRequest https://login.microsoftonline.com/common/oauth2/v2.0/token -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientId&scope=https://ads.microsoft.com/msads.manage%20offline_access&code=$code&grant_type=authorization_code&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient"
$oauthTokens = ($response.Content | ConvertFrom-Json)
Write-Output "Access token: " $oauthTokens.access_token
Write-Output "Access token expires in: " $oauthTokens.expires_in
Write-Output "Refresh token: " $oauthTokens.refresh_token
# The access token will expire e.g., after one hour.
# Use the refresh token to get new access and refresh tokens.
$response = Invoke-WebRequest https://login.microsoftonline.com/common/oauth2/v2.0/token -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientId&scope=https://ads.microsoft.com/msads.manage%20offline_access&code=$code&grant_type=refresh_token&refresh_token=$($oauthTokens.refresh_token)"
$oauthTokens = ($response.Content | ConvertFrom-Json)
Write-Output "Access token: " $oauthTokens.access_token
Write-Output "Access token expires in: " $oauthTokens.expires_in
Write-Output "Refresh token: " $oauthTokens.refresh_token
Save the file and name it Get-Tokens-Production.ps1
(you can name it anything you want but the extension must be .ps1).
To programmatically manage a Microsoft Advertising account, you must provide consent at least once through the web application consent flow. From then on you can use the latest refresh token to request new access and refresh tokens without any further user interaction.
Now to run
Get-Tokens-Production.ps1
open a console window. At the command prompt, navigate to the folder where you savedGet-Tokens-Production.ps1
and enter the following command:powershell.exe -File .\Get-Tokens-Production.ps1
When the PowerShell script successfully runs, it starts a browser session where you enter your Microsoft Advertising credentials. After consenting, the browser's address bar contains the grant code (see ?code=UseThisCode&...).
https://login.microsoftonline.com/common/oauth2/nativeclient?code=M.R4_BAY.f202904c-2269-4daf-1e21-862ed4d49143
Copy the grant code (your own code, not the example M.R4_BAY.f202904c-2269-4daf-1e21-862ed4d49143) and enter it in the console window at the prompt. The PowerShell script then returns the access and refresh tokens. (The script makes a second call to Invoke-WebRequest as an example of how to refresh the tokens.) You should treat the refresh token like you would a password; if someone gets hold of it, they have access to your resources. The refresh token is long lived but it can become invalid. If you ever receive an invalid_grant error, your refresh token is no longer valid and you'll need to run the
Get-Tokens-Production.ps1
PowerShell script again to get user consent and a new refresh token.Create a new file and paste into it the following script. Set the
accessToken
to the value you received fromGet-Tokens-Production.ps1
and set$developerToken
to the developer token you received by following steps outlined here.$accessToken = "AccessTokenGoesHere"; $developerToken = "DeveloperTokenGoesHere"; [xml]$getUserRequest = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v13="https://bingads.microsoft.com/Customer/v13"> <soapenv:Header> <v13:DeveloperToken>{0}</v13:DeveloperToken> <v13:AuthenticationToken>{1}</v13:AuthenticationToken> </soapenv:Header> <soapenv:Body> <v13:GetUserRequest> <v13:UserId xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/> </v13:GetUserRequest> </soapenv:Body> </soapenv:Envelope>' -f $developerToken, $accessToken $headers = @{"SOAPAction" = "GetUser"} $uri = "https://clientcenter.api.bingads.microsoft.com/Api/CustomerManagement/v13/CustomerManagementService.svc" $response = Invoke-WebRequest $uri -Method post -ContentType 'text/xml' -Body $getUserRequest -Headers $headers Write-Output $response.Content
Save the file and name it
Get-User.ps1
(you can name it anything you want but the extension must be .ps1).Now to run
Get-User.ps1
open a console window. At the command prompt, navigate to the folder where you savedGet-User.ps1
and enter the following command:powershell.exe -File .\Get-User.ps1
When the PowerShell script successfully runs it should print out the details of your Microsoft Advertising user, including customer roles. For details see GetUser.
Sandbox Quick Start
To authenticate in the sandbox environment you don't need to register an application. Just use the public "Tutorial Sample App" client ID i.e., 00001111-aaaa-2222-bbbb-3333cccc4444.
Sign up for a Microsoft Advertising sandbox account. The Microsoft account (MSA) email address must be outlook-int.com (for example, someone@outlook-int.com). For more details see Sandbox.
Create a new file and paste into it the following script.
# Replace the Tutorial Sample App ID with your registered application ID. $clientId = "00001111-aaaa-2222-bbbb-3333cccc4444" Start-Process "https://login.windows-ppe.net/consumers/oauth2/v2.0/authorize?client_id=$clientId&scope=openid%20profile%20https://api.ads.microsoft.com/msads.manage%20offline_access&response_type=code&redirect_uri=https://login.windows-ppe.net/common/oauth2/nativeclient&state=ClientStateGoesHere&prompt=login" $code = Read-Host "Grant consent in the browser, and then enter the response URI here:" $code = $code -match 'code=(.*)\&' $code = $Matches[1] # Get the initial access and refresh tokens. $response = Invoke-WebRequest https://login.windows-ppe.net/consumers/oauth2/v2.0/token -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientId&scope=https://api.ads.microsoft.com/msads.manage%20offline_access&code=$code&grant_type=authorization_code&redirect_uri=https://login.windows-ppe.net/common/oauth2/nativeclient" $oauthTokens = ($response.Content | ConvertFrom-Json) Write-Output "Access token: " $oauthTokens.access_token Write-Output "Access token expires in: " $oauthTokens.expires_in Write-Output "Refresh token: " $oauthTokens.refresh_token # The access token will expire e.g., after one hour. # Use the refresh token to get new access and refresh tokens. $response = Invoke-WebRequest https://login.windows-ppe.net/consumers/oauth2/v2.0/token -ContentType application/x-www-form-urlencoded -Method POST -Body "client_id=$clientId&scope=https://api.ads.microsoft.com/msads.manage%20offline_access&code=$code&grant_type=refresh_token&refresh_token=$($oauthTokens.refresh_token)" $oauthTokens = ($response.Content | ConvertFrom-Json) Write-Output "Access token: " $oauthTokens.access_token Write-Output "Access token expires in: " $oauthTokens.expires_in Write-Output "Refresh token: " $oauthTokens.refresh_token
Save the file and name it
Get-Tokens-Sandbox.ps1
(you can name it anything you want but the extension must be .ps1).A user must provide consent at least once through the web application consent flow. From then on you can use the latest refresh token to request new access and refresh tokens without any further user interaction.
Now to run
Get-Tokens-Sandbox.ps1
open a console window. At the command prompt, navigate to the folder where you savedGet-Tokens-Sandbox.ps1
and enter the following command:powershell.exe -File .\Get-Tokens-Sandbox.ps1
When the PowerShell script successfully runs, it starts a browser session where you enter your Microsoft Advertising credentials. After consenting, the browser's address bar contains the grant code (see ?code=UseThisCode&...).
https://login.windows-ppe.net/common/oauth2/nativeclient?code=M.R0_CD1.132de532-5105-7550-b1fd-d37f9af2f009
Copy the grant code (your own code, not the example M.R0_CD1.132de532-5105-7550-b1fd-d37f9af2f009) and enter it in the console window at the prompt. The PowerShell script then returns the access and refresh tokens. (The script makes a second call to Invoke-WebRequest as an example of how to refresh the tokens.) You should treat the refresh token like you would a password; if someone gets hold of it, they have access to your resources. The refresh token is long lived but it can become invalid. If you ever receive an invalid_grant error, your refresh token is no longer valid and you'll need to run the
Get-Tokens-Sandbox.ps1
PowerShell script again to get user consent and a new refresh token.Create a new file and paste into it the following script. Set the
accessToken
to the value you received fromGet-Tokens-Sandbox.ps1
.$accessToken = "AccessTokenGoesHere"; $developerToken = "BBD37VB98"; [xml]$getUserRequest = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v13="https://bingads.microsoft.com/Customer/v13"> <soapenv:Header> <v13:DeveloperToken>{0}</v13:DeveloperToken> <v13:AuthenticationToken>{1}</v13:AuthenticationToken> </soapenv:Header> <soapenv:Body> <v13:GetUserRequest> <v13:UserId xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/> </v13:GetUserRequest> </soapenv:Body> </soapenv:Envelope>' -f $developerToken, $accessToken $headers = @{"SOAPAction" = "GetUser"} $uri = "https://clientcenter.api.sandbox.bingads.microsoft.com/Api/CustomerManagement/v13/CustomerManagementService.svc" $response = Invoke-WebRequest $uri -Method post -ContentType 'text/xml' -Body $getUserRequest -Headers $headers Write-Output $response.Content
Save the file and name it
Get-User.ps1
(you can name it anything you want but the extension must be .ps1).Now to run
Get-User.ps1
open a console window. At the command prompt, navigate to the folder where you savedGet-User.ps1
and enter the following command:powershell.exe -File .\Get-User.ps1
When the PowerShell script successfully runs it should print out the details of your Microsoft Advertising user, including customer roles. For details see GetUser.