Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: Partner Center | Partner Center operated by 21Vianet | Partner Center for Microsoft Cloud for US Government
To improve our security posture, we're deprecating graph.windows.net audience tokens. To align with this improvement, we're changing how you call Partner Center APIs. Take the necessary actions to prepare for this change.
Important
If you use the generateToken API, stop decoding the token in the API response, and remove dependency on any of the claims in the token that the API returns. The newer version of the API might not contain all the claims.
| Affected API: | Current | New |
|---|---|---|
| APP Only Auth | POST https://login.microsoftonline.com/{tenantId}/oauth2/token Accept: application/json resource=https://graph.windows.net&client_id={client-id-here}&client_secret={client-secret-here}&grant_type=client_credentials | POST https://login.microsoftonline.com/{tenantId}/oauth2/token resource=https://api.partnercenter.microsoft.com&client_id={client-id-here}&client_secret={client-secret-here}&grant_type=client_credentials |
| Generate Token | POST https://api.partnercenter.microsoft.com/generatetoken | POST https://api.partnercenter.microsoft.com/v3/generatetoken Will no longer accepts token with resource https://graph.windows.net |
Note
For Generate Token – If you don't use this API then you don't need to take any actions.
Action required: Graph.windows.net audience tokens retiring on August 31, 2025. To enhance our security measures, All Partner Center services that use Azure Active Directory graph API migrate to api.partnercenter.microsoft.com.
Note
There are "NO" changes for App + User (Secure App) API Partner Center authentication - Partner app developer | Microsoft Learn as it uses the resource as api.partnercenter.microsoft.com
Review your code to determine if you're using the API and resource "Graph.windows.net" and make necessary changes before August to prevent business disruption.
Here's what you can expect:
- Starting 27-February-2025:
- A new version of the generateToken API
https://api.partnercenter.microsoft.com/v3/generatetokenis available that only acceptsapi.partnercenter.microsoft.comaudience tokens for both usertoken and app-only scenarios. Partners must make this change before the end of August 2025. - If you call the Partner Center API directly by sending an Azure AD Graph audience token, you must start sending
api.partnercenter.microsoft.com.- Current:
resource=https://graph.windows.net&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials - New:
resource=https://{domain}&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials- For example,
resource=https://api.partnercenter.microsoft.com&client_id={client-ID-here}&client_secret={client-secret-here}&grant_type=client_credentials
- For example,
- Current:
- For China,
https://graph.chinacloudapi.cnmust be changed tohttps://partner.partnercenterapi.microsoftonline.cn
- A new version of the generateToken API
- As of August 2025:
- Older version of generatetoken API are deprecated (v3 continues to work)
- Partner Center APIs are no longer accepting
graph.windows.netaudience tokens - Usage of the retired token will receive a 401 response with error code 900420.