Jaa


Deprecate Azure AD graph token

Applies to: Partner Center | Partner Center operated by 21Vianet | Partner Center for Microsoft Cloud for US Government

To improve our security posture, we're deprecating graph.windows.net audience tokens. To align with this improvement, we're changing how you call Partner Center APIs. Take the necessary actions to prepare for this change. Here is the timeline:

Starting now:

  • If you use the generateToken API, stop decoding the token in the API response, and remove dependency on any of the claims in the token that the API returns. The newer version of the API might not contain all the claims.

Coming soon:

  • A new version of the generatetoken API is available and ONLY accepts api.partnercenter.microsoft.com audience tokens for both usertoken and app only scenarios. Partners must make this change before the end of April 2025.
  • If you call the Partner Center API directly by sending an Azure AD Graph audience token, you must start sending api.partnercenter.microsoft.com.
    • Current: resource=https://graph.windows.net&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials
    • Proposed: resource=https://{domain}&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials
      • For example, resource=https://api.partnercenter.microsoft.com&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials

Soon to be:

  • The generatetoken API is deprecated.
  • Partner Center APIs no longer accept graph.windows.net audience tokens.

Authentication - Generate access token