search

Azure / Commercial-Marketplace-SaaS-Accelerator

A reference example with sample code for developers interested publishing transactable, Software as a-Service offers in the Microsoft commercial marketplace.
MIT License
179 stars 275 forks source link

Solution not compliant with Marketplace due to violation of SaaS Policy 1000.4 #699

Open hesperanca opened 2 months ago

hesperanca commented 2 months ago

We just received a report from Microsoft saying that our marketplace offer is in violation of Policy 1000.4. Their message says:

"The publisher tokens you are using to access SaaS APIs do not have service principal claim and do not follow the Microsoft Commercial Marketplace guidelines (for registering SaaS applications). Please note that the Entra app id must be registered in the tenant that you use when generating the Publisher tokens. You must fix the issue by May 31, 2024, to avoid any disruption to your service."

We are running version 7.5.1 and installed the SaaS accelerator about 2 months ago using the instructions from here: https://github.com/Azure/Commercial-Marketplace-SaaS-Accelerator/blob/main/docs/Installation-Instructions.md

Any help on how to resolve the issue would be great.

Many thanks.

santhoshb-msft commented 2 months ago

Hi @hesperanca Creating a service principal for the Fulfilment App Reg should fix the issue. Please follow the guidelines in the message. Let me know any questions.

ynasyr commented 2 months ago

hi @santhoshb-msft,

We have the same issue, could you kindly share a screenshot or provide guidance on where exactly do this ?

Many thanks.

hesperanca commented 2 months ago

Hi @santhoshb-msft,

Thanks for your reply.

Which one is the fulfilment app?

Is it the multi-tenant app with the customer landing page or the single-tenant admin app?

Many thanks.

adrian-spear commented 2 months ago

@santhoshb-msft

Hi @hesperanca Creating a service principal for the Fulfilment App Reg should fix the issue. Please follow the guidelines in the message. Let me know any questions.

The guidelines provided do not resolve the issue. Attempting to create a service principal using a url request fails because the app reg does not include any Microsoft Graph permissions: e.g. 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=&redirect_uri=https://www.your-app-url.com' AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant.

I upgraded my install to 7.6.1 release - change notes reference adding service principal. This has also not resolved the issue.

Please provide explicit instructions on how to make this configuration change.

Vedashri-cloudcserve commented 2 months ago

Please guide. Facing the same issue. @santhoshb-msft, just need to add service principal or ned to change code according to it. if yes then please guide on it also. Thanks.

hesperanca commented 2 months ago

@adrian-spear, @santhoshb-msft

The guidelines provided do not resolve the issue. Attempting to create a service principal using a url request fails because the app reg does not include any Microsoft Graph permissions: e.g. 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=&redirect_uri=https://www.your-app-url.com' AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant.

I got the same error when following the instructions. I'm assuming that there will be a lot of people in the same situation.

adrian-spear commented 2 months ago

@hesperanca @santhoshb-msft

Ok - I fixed mine - here's how.

Use Azure CLI and execute the following command:

az ad sp create --id <Fulfilment App Reg App Id>

This will create the required Security Principal and adds the required 'oid' claim to the token.

santhoshb-msft commented 2 months ago

Spot on. Thank you @adrian-spear!

hesperanca commented 2 months ago

Thanks @adrian-spear & @santhoshb-msft

Can you please clarify which one is the Fulffilment app? Is this the Publisher Portal (single tenant app) or the Subscription Portal (multi-tenant app with the landing page)?

Many thanks.

santhoshb-msft commented 2 months ago

@hesperanca It is typically the single tenant one which is also used in your offer.

PetrMc commented 2 months ago

Hello All! Can someone explain in more details, please: (a) what is fullfilment ID and how to obtain it - preferably using Azure CLI (b) how to validate that the offer doesn't have the required field in token before change and than confirm it's there after the execution of the command. Specifically what endpoint should be queried. (c) does offer require resubmission after issuing the command shared by @adrian-spear

Thank you!

PetrMc commented 2 months ago

answering myown question if someone elses is looking for an answer:

export TENANT_ID=<this is your Azure Tenant ID - "A" on screenshot>
export FULLFILMENT_ID=<this is application specific - "B" on screenshots>
export SECRET=<if you don't have one - you can generate it using "C" section fromm the screenshot>
HARDCODED_RESOURCE_ID="20e940b3-4c77-4b0b-9a53-9e16a1b010a7"  # per https://learn.microsoft.com/en-us/partner-center/marketplace/partner-center-portal/pc-saas-registration

image image

token=$(curl -sX POST \
https://login.microsoftonline.com/${TENANT_ID}/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id="${FULLFILMENT_ID}"" \
-d "client_secret="${SECRET}"" \
-d "resource="${HARDCODED_RESOURCE_ID}"" \
| jq -r .access_token)

display the token value:

echo $token

go to jwt.io and decode - no oid. Run the command from @adrian-spear

az ad sp create --id ${FULLFILMENT_ID}

re-run curl command and make sure decoded new token has oid in it:

token=$(curl -sX POST \
https://login.microsoftonline.com/${TENANT_ID}/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id="${FULLFILMENT_ID}"" \
-d "client_secret="${SECRET}"" \
-d "resource="${HARDCODED_RESOURCE_ID}"" \
| jq -r .access_token)

echo $token

use token to validate the call (the call is required for Azure team to whitelist your solution:

curl -I -X GET \
https://marketplaceapi.microsoft.com/api/saas/subscriptions?api-version=2018-08-31 \
-H "Content-Type: application/json" \
-H "authorization: Bearer ${token}" \
-H "resource: ${HARDCODED_RESOURCE_ID}"

if you get 200 - you're done.

Vedashri-cloudcserve commented 2 months ago

Hi @PetrMc, @santhoshb-msft , @adrian-spear

Thanks for your Responses.!! I checked in jwt.io, now oid is visible. After this I republished offer its published successfully. And I have created support ticket in that support team is saying issue still persist. how did you verified violation is resolved or not from Microsoft team?

Please help me with this.

PetrMc commented 2 months ago

@Vedashri-cloudcserve - it's just an assumption that the issue described is not present anymore. Also it seems that the change doesn't require to resubmit your offer.

it would be great if someone from Azure team could confirm and maybe update this repo with the instructions for any new submissions.

santhoshb-msft commented 2 months ago

@Vedashri-cloudcserve @PetrMc

Thats right.

  1. There is no need for republish.
  2. If you see the oid in claims, then you are set no other action needed. If you would like further confirmation, please raise a support ticket from with the Partner center.
hesperanca commented 2 months ago

Hi @santhoshb-msft,

I've fixed the issue and I'm getting the oid in the token but I'm still receiving messages from the marketplace team saying that the offer still has the same problem and needs fixing asap.

Can please someone help.

Many thanks.

santhoshb-msft commented 2 months ago

Hi @hesperanca If you have already fixed, you should be good and most likely message should say this. Happy to help, can you please raise a support ticket in partner center and ask them to loop me in.

hesperanca commented 2 months ago

Hi @santhoshb-msft,

Thanks for the quick reply. This is getting really frustrating now. I've raised a ticket when the issue was first raised by the compliance team. I then fixed the issue and re-published the offer as per their request. The offer was then approved and I got a confirmation from the compliance team that the offer was live and was approved. But now I've just received another message saying that the issue needs fixing asap or else the offer will be removed.

This is getting really messy and frustrating.

hesperanca commented 2 months ago

Hi @santhoshb-msft

Can you please let me know how I can get your email address so that I can cc you in the communications with the certification team?

Many thanks.

santhoshb-msft commented 2 months ago

Again, I’m getting a feeling there could be multiple things in play here. Could you please respond on the support thread to add me in please.

also for this issue the message should say a couple of things, no need to publish and no action if you have the oid.

santhoshb-msft commented 2 months ago

Got your message. We got you and will help you get this resolved on the email thread.

hesperanca commented 2 months ago

Thanks @santhoshb-msft,

Really appreciate your help.

Regards.