Open hesperanca opened 2 months ago
Hi @hesperanca Creating a service principal for the Fulfilment App Reg should fix the issue. Please follow the guidelines in the message. Let me know any questions.
hi @santhoshb-msft,
We have the same issue, could you kindly share a screenshot or provide guidance on where exactly do this ?
Many thanks.
Hi @santhoshb-msft,
Thanks for your reply.
Which one is the fulfilment app?
Is it the multi-tenant app with the customer landing page or the single-tenant admin app?
Many thanks.
@santhoshb-msft
Hi @hesperanca Creating a service principal for the Fulfilment App Reg should fix the issue. Please follow the guidelines in the message. Let me know any questions.
The guidelines provided do not resolve the issue. Attempting to create a service principal using a url request fails because the app reg does not include any Microsoft Graph permissions:
e.g.
'https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant.
I upgraded my install to 7.6.1 release - change notes reference adding service principal. This has also not resolved the issue.
Please provide explicit instructions on how to make this configuration change.
Please guide. Facing the same issue. @santhoshb-msft, just need to add service principal or ned to change code according to it. if yes then please guide on it also. Thanks.
@adrian-spear, @santhoshb-msft
The guidelines provided do not resolve the issue. Attempting to create a service principal using a url request fails because the app reg does not include any Microsoft Graph permissions: e.g. 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=&redirect_uri=https://www.your-app-url.com'
AADSTS650056: Misconfigured application. This could be due to one of the following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the configuration or consent on behalf of the tenant.
I got the same error when following the instructions. I'm assuming that there will be a lot of people in the same situation.
@hesperanca @santhoshb-msft
Ok - I fixed mine - here's how.
Use Azure CLI and execute the following command:
az ad sp create --id <Fulfilment App Reg App Id>
This will create the required Security Principal and adds the required 'oid' claim to the token.
Spot on. Thank you @adrian-spear!
Thanks @adrian-spear & @santhoshb-msft
Can you please clarify which one is the Fulffilment app? Is this the Publisher Portal (single tenant app) or the Subscription Portal (multi-tenant app with the landing page)?
Many thanks.
@hesperanca It is typically the single tenant one which is also used in your offer.
Hello All! Can someone explain in more details, please: (a) what is fullfilment ID and how to obtain it - preferably using Azure CLI (b) how to validate that the offer doesn't have the required field in token before change and than confirm it's there after the execution of the command. Specifically what endpoint should be queried. (c) does offer require resubmission after issuing the command shared by @adrian-spear
Thank you!
answering myown question if someone elses is looking for an answer:
export TENANT_ID=<this is your Azure Tenant ID - "A" on screenshot>
export FULLFILMENT_ID=<this is application specific - "B" on screenshots>
export SECRET=<if you don't have one - you can generate it using "C" section fromm the screenshot>
HARDCODED_RESOURCE_ID="20e940b3-4c77-4b0b-9a53-9e16a1b010a7" # per https://learn.microsoft.com/en-us/partner-center/marketplace/partner-center-portal/pc-saas-registration
token=$(curl -sX POST \
https://login.microsoftonline.com/${TENANT_ID}/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id="${FULLFILMENT_ID}"" \
-d "client_secret="${SECRET}"" \
-d "resource="${HARDCODED_RESOURCE_ID}"" \
| jq -r .access_token)
display the token value:
echo $token
go to jwt.io and decode - no oid. Run the command from @adrian-spear
az ad sp create --id ${FULLFILMENT_ID}
re-run curl command and make sure decoded new token has oid
in it:
token=$(curl -sX POST \
https://login.microsoftonline.com/${TENANT_ID}/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id="${FULLFILMENT_ID}"" \
-d "client_secret="${SECRET}"" \
-d "resource="${HARDCODED_RESOURCE_ID}"" \
| jq -r .access_token)
echo $token
use token to validate the call (the call is required for Azure team to whitelist your solution:
curl -I -X GET \
https://marketplaceapi.microsoft.com/api/saas/subscriptions?api-version=2018-08-31 \
-H "Content-Type: application/json" \
-H "authorization: Bearer ${token}" \
-H "resource: ${HARDCODED_RESOURCE_ID}"
if you get 200
- you're done.
Hi @PetrMc, @santhoshb-msft , @adrian-spear
Thanks for your Responses.!! I checked in jwt.io, now oid is visible. After this I republished offer its published successfully. And I have created support ticket in that support team is saying issue still persist. how did you verified violation is resolved or not from Microsoft team?
Please help me with this.
@Vedashri-cloudcserve - it's just an assumption that the issue described is not present anymore. Also it seems that the change doesn't require to resubmit your offer.
it would be great if someone from Azure team could confirm and maybe update this repo with the instructions for any new submissions.
@Vedashri-cloudcserve @PetrMc
Thats right.
Hi @santhoshb-msft,
I've fixed the issue and I'm getting the oid in the token but I'm still receiving messages from the marketplace team saying that the offer still has the same problem and needs fixing asap.
Can please someone help.
Many thanks.
Hi @hesperanca If you have already fixed, you should be good and most likely message should say this. Happy to help, can you please raise a support ticket in partner center and ask them to loop me in.
Hi @santhoshb-msft,
Thanks for the quick reply. This is getting really frustrating now. I've raised a ticket when the issue was first raised by the compliance team. I then fixed the issue and re-published the offer as per their request. The offer was then approved and I got a confirmation from the compliance team that the offer was live and was approved. But now I've just received another message saying that the issue needs fixing asap or else the offer will be removed.
This is getting really messy and frustrating.
Hi @santhoshb-msft
Can you please let me know how I can get your email address so that I can cc you in the communications with the certification team?
Many thanks.
Again, I’m getting a feeling there could be multiple things in play here. Could you please respond on the support thread to add me in please.
also for this issue the message should say a couple of things, no need to publish and no action if you have the oid.
Got your message. We got you and will help you get this resolved on the email thread.
Thanks @santhoshb-msft,
Really appreciate your help.
Regards.
We just received a report from Microsoft saying that our marketplace offer is in violation of Policy 1000.4. Their message says:
"The publisher tokens you are using to access SaaS APIs do not have service principal claim and do not follow the Microsoft Commercial Marketplace guidelines (for registering SaaS applications). Please note that the Entra app id must be registered in the tenant that you use when generating the Publisher tokens. You must fix the issue by May 31, 2024, to avoid any disruption to your service."
We are running version 7.5.1 and installed the SaaS accelerator about 2 months ago using the instructions from here: https://github.com/Azure/Commercial-Marketplace-SaaS-Accelerator/blob/main/docs/Installation-Instructions.md
Any help on how to resolve the issue would be great.
Many thanks.