Marketplace metering service authentication strategies

Marketplace metering service supports two authentication strategies:

This article explains when and how to use the different authentication strategies to securely submit custom meters using Marketplace metering service.

Using the Microsoft Entra security token

Applicable offer types are transactable SaaS and Azure Applications with managed application plan type.

Submit custom meters by using a predefined fixed Microsoft Entra application ID to authenticate.

For SaaS offers, this is the only available option. It's a mandatory step for publishing any SaaS offer as described in register a SaaS application.

For Azure applications with managed application plan, you should consider using this strategy in the following cases:

  • You already have a mechanism to communicate with your backend services, and you want to extend this mechanism to emit custom meters from a central service.
  • You have complex custom meters logic. Run this logic in a central location, instead of the managed application resources.

When you register your application, you can programmatically request a Microsoft Entra security token. The publisher is expected to use this token and make a request to resolve it.

For more information about these tokens, see Microsoft Entra access tokens.

Get a token based on the Microsoft Entra app

HTTP Method

POST

Request URL

https://login.microsoftonline.com/*{tenantId}*/oauth2/token

URI parameter

Parameter name Required Description
tenantId True Tenant ID of the registered Microsoft Entra application.

Request header

Header name Required Description
Content-Type True Content type associated with the request. The default value is application/x-www-form-urlencoded.

Request body

Property name Required Description
Grant_type True Grant type. Use client_credentials.
Client_id True Client/app identifier associated with the Microsoft Entra app.
client_secret True Secret associated with the Microsoft Entra app.
Resource True Target resource for which the token is requested. Use 00001111-aaaa-2222-bbbb-3333cccc4444.

Response

Name Type Description
200 OK TokenResponse Request succeeded.

TokenResponse

Sample response token:

  {
      "token_type": "Bearer",
      "expires_in": "3600",
      "ext_expires_in": "0",
      "expires_on": "15251…",
      "not_before": "15251…",
      "resource": "00001111-aaaa-2222-bbbb-3333cccc4444",
      "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayJ9…"
  }

Using the Azure-managed identities token

Applicable offer types are Kubernetes app offers and Azure applications with managed application plan type.

Using this approach allows the deployed resources identity to authenticate to send custom meters usage events. You can embed the code that emits usage within the boundaries of your deployment.

Note

Publisher should ensure that the resources that emit usage are locked, so it will not be tampered.

Your managed application can contain different type of resources, from Virtual Machines to Azure Functions. For more information on how to authenticate using managed identities for different services, see how to use managed identities for Azure resources).

For example, use the following steps to authenticate using a Windows VM,

  1. Make sure Managed Identity is configured using one of the methods:

  2. Get an access token for Marketplace metering service application ID (00001111-aaaa-2222-bbbb-3333cccc4444) using the system identity, RDP to the VM, open PowerShell console and run the command:

    # curl is an alias to Web-Invoke PowerShell command
    # Get system identity access tokenn
    $MetadataUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F"
    $Token = curl -H @{"Metadata" = "true"} $MetadataUrl | Select-Object -Expand Content | ConvertFrom-Json
    $Headers = @{}
    $Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
    
  3. Get the managed app ID from the current resource groups 'ManagedBy' property (not needed for Kubernetes app offers).

    # Get subscription and resource group
    $metadata = curl -H @{'Metadata'='true'} http://169.254.169.254/metadata/instance?api-version=2019-06-01 | select -ExpandProperty Content | ConvertFrom-Json 
    
    # Make sure the system identity has at least reader permission on the resource group
    $managementUrl = "https://management.azure.com/subscriptions/" + $metadata.compute.subscriptionId + "/resourceGroups/" + $metadata.compute.resourceGroupName + "?api-version=2019-10-01"
    $resourceGroupInfo = curl -Headers $Headers $managementUrl | select -ExpandProperty Content | ConvertFrom-Json
    $managedappId = $resourceGroupInfo.managedBy 
    
  4. Use the Marketplace metering service API to emit usage.

For Kubernetes app offers, use following the steps to get an authentication token from the app. For more information, see sample code.

  1. Application's Managed Service Identity (MSI) Client ID needs to be used to generate authentication token to communicate to Microsoft Marketplace Metering API. For more information, see sample code.

    # Audience for the token to be generated 
    resource = '00001111-aaaa-2222-bbbb-3333cccc4444'
    clientId = <identity client id>
    url = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&clientId={0}&resource={1}".format(clientId,resource)
    headers = {'Metadata': 'true'}
    # Need to import requests module 
    response = requests.get(url)
    response = requests.get(url, headers=headers)
    authToken = response.json()
    
  2. Use the Marketplace metering service API to emit usage