Deprecate Azure AD graph token
Applies to: Partner Center | Partner Center operated by 21Vianet | Partner Center for Microsoft Cloud for US Government
To improve our security posture, we're deprecating graph.windows.net audience tokens. To align with this improvement, we're changing how you call Partner Center APIs. Take the necessary actions to prepare for this change.
Important
If you use the generateToken API, stop decoding the token in the API response, and remove dependency on any of the claims in the token that the API returns. The newer version of the API might not contain all the claims.
Here's what you can expect:
- Coming soon:
- A new version of the generateToken API
https://api.partnercenter.microsoft.com/v3/generatetokenis coming soon that only acceptsapi.partnercenter.microsoft.comaudience tokens for both usertoken and app-only scenarios. Partners must make this change before the end of August 2025. - If you call the Partner Center API directly by sending an Azure AD Graph audience token, you must start sending
api.partnercenter.microsoft.com.- Current:
resource=https://graph.windows.net&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials - Proposed:
resource=https://{domain}&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials- For example,
resource=https://api.partnercenter.microsoft.com&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials
- For example,
- Current:
- For china,
https://graph.chinacloudapi.cnmust be changed tohttps://partner.partnercenterapi.microsoftonline.cn
- A new version of the generateToken API
- Planned for August 2025:
- Older version of generatetoken API is being deprecated (v3 continues to work)
- Partner Center APIs are no longer accepting
graph.windows.netaudience tokens