Marketplace metering service authentication strategies
Marketplace metering service supports two authentication strategies:
This article explains when and how to use the different authentication strategies to securely submit custom meters using Marketplace metering service.
Using the Microsoft Entra security token
Applicable offer types are transactable SaaS and Azure Applications with managed application plan type.
Submit custom meters by using a predefined fixed Microsoft Entra application ID to authenticate.
For SaaS offers, this is the only available option. It's a mandatory step for publishing any SaaS offer as described in register a SaaS application.
For Azure applications with managed application plan, you should consider using this strategy in the following cases:
- You already have a mechanism to communicate with your backend services, and you want to extend this mechanism to emit custom meters from a central service.
- You have complex custom meters logic. Run this logic in a central location, instead of the managed application resources.
When you register your application, you can programmatically request a Microsoft Entra security token. The publisher is expected to use this token and make a request to resolve it.
For more information about these tokens, see Microsoft Entra access tokens.
Get a token based on the Microsoft Entra app
HTTP Method
POST
Request URL
https://login.microsoftonline.com/*{tenantId}*/oauth2/token
URI parameter
Parameter name | Required | Description |
---|---|---|
tenantId |
True | Tenant ID of the registered Microsoft Entra application. |
Request header
Header name | Required | Description |
---|---|---|
Content-Type |
True | Content type associated with the request. The default value is application/x-www-form-urlencoded . |
Request body
Property name | Required | Description |
---|---|---|
Grant_type |
True | Grant type. Use client_credentials . |
Client_id |
True | Client/app identifier associated with the Microsoft Entra app. |
client_secret |
True | Secret associated with the Microsoft Entra app. |
Resource |
True | Target resource for which the token is requested. Use 00001111-aaaa-2222-bbbb-3333cccc4444 . |
Response
Name | Type | Description |
---|---|---|
200 OK |
TokenResponse |
Request succeeded. |
TokenResponse
Sample response token:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "15251…",
"not_before": "15251…",
"resource": "00001111-aaaa-2222-bbbb-3333cccc4444",
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayJ9…"
}
Using the Azure-managed identities token
Applicable offer types are Kubernetes app offers and Azure applications with managed application plan type.
Using this approach allows the deployed resources identity to authenticate to send custom meters usage events. You can embed the code that emits usage within the boundaries of your deployment.
Note
Publisher should ensure that the resources that emit usage are locked, so it will not be tampered.
Your managed application can contain different type of resources, from Virtual Machines to Azure Functions. For more information on how to authenticate using managed identities for different services, see how to use managed identities for Azure resources).
For example, use the following steps to authenticate using a Windows VM,
Make sure Managed Identity is configured using one of the methods:
Get an access token for Marketplace metering service application ID (
00001111-aaaa-2222-bbbb-3333cccc4444
) using the system identity, RDP to the VM, open PowerShell console and run the command:# curl is an alias to Web-Invoke PowerShell command # Get system identity access tokenn $MetadataUrl = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" $Token = curl -H @{"Metadata" = "true"} $MetadataUrl | Select-Object -Expand Content | ConvertFrom-Json $Headers = @{} $Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
Get the managed app ID from the current resource groups 'ManagedBy' property (not needed for Kubernetes app offers).
# Get subscription and resource group $metadata = curl -H @{'Metadata'='true'} http://169.254.169.254/metadata/instance?api-version=2019-06-01 | select -ExpandProperty Content | ConvertFrom-Json # Make sure the system identity has at least reader permission on the resource group $managementUrl = "https://management.azure.com/subscriptions/" + $metadata.compute.subscriptionId + "/resourceGroups/" + $metadata.compute.resourceGroupName + "?api-version=2019-10-01" $resourceGroupInfo = curl -Headers $Headers $managementUrl | select -ExpandProperty Content | ConvertFrom-Json $managedappId = $resourceGroupInfo.managedBy
Use the Marketplace metering service API to emit usage.
For Kubernetes app offers, use following the steps to get an authentication token from the app. For more information, see sample code.
Application's Managed Service Identity (MSI) Client ID needs to be used to generate authentication token to communicate to Microsoft Marketplace Metering API. For more information, see sample code.
# Audience for the token to be generated resource = '00001111-aaaa-2222-bbbb-3333cccc4444' clientId = <identity client id> url = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&clientId={0}&resource={1}".format(clientId,resource) headers = {'Metadata': 'true'} # Need to import requests module response = requests.get(url) response = requests.get(url, headers=headers) authToken = response.json()
Use the Marketplace metering service API to emit usage