Share via

How can I resolve this issue with Authenticating to the Marketplace SaaS Fulfillment API?

Robert Winger 5 Reputation points
2025-06-13T19:23:03.2833333+00:00

I am currently working on a web app that communicates with the Marketplace SaaS Fullfilment API.

I can get an Auth token from the oauth token endpoint using tenant ID, client ID and client Secret from my single tenant App Registraion (That I am using to communicate with the Marketplace API.)

I have inspected the token returned in jwt.ms and everything looks to be correct, but when passing the Auth token into a Marketplace API endpoint I get the error:

"The Authorization Token included in the request is valid, however it does not include the correct audience or the entra app id."

Please let me know if you can recommend how to resolve this issue.

Thank you!

Azure | Azure ISV (Independent Software Vendor)
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chiugo Okpala 1,910 Reputation points MVP
    2025-06-13T21:28:14.96+00:00

    @Robert Winger welcome to the Microsoft Q&A community.

    It sounds like your authentication token is valid but missing the correct audience or Entra app ID, which is causing the Marketplace SaaS Fulfillment API to reject it. Here are a few things you can check:

    1. Ensure the correct audience (aud) claim – The token must include the correct audience value that matches the API you are trying to access. Verify that the aud claim in your token matches the expected value for the Marketplace API.
    2. Confirm the Entra app ID – The API might be expecting a specific Entra app ID in the token. Double-check that your app registration is correctly configured and that the token includes the right app ID.
    3. Use the correct endpoint for token acquisition – Make sure you are requesting the token from the correct OAuth endpoint that is intended for Marketplace API authentication.
    4. Check API permissions – Your app registration should have the necessary permissions to access the Marketplace API. Ensure that the required API permissions are granted in Microsoft Entra ID.
    5. Validate the token with Microsoft documentation – You can compare your token structure with examples provided in Microsoft's official documentation to ensure it meets the expected format.

    You might find additional insights in discussions on Microsoft Q&A or Stack Overflow

    I hope these helps. Let me know if you have any further questions or need additional assistance.

    Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

    User's image

    0 comments
  2. Jason Luo 0 Reputation points
    2025-07-02T06:40:33.3866667+00:00

    I have the same question!

    The authorization token included in the request is valid, however it does not include the correct audience or the entra app id.

    https://learn.microsoft.com/en-us/partner-center/marketplace-offers/pc-saas-registration

    https://learn.microsoft.com/en-us/partner-center/marketplace-offers/pc-saas-fulfillment-subscription-api#resolve-a-purchased-subscription

    Target resource for which the token is requested with a default scope. Use 20e940b3-4c77-4b0b-9a53-9e16a1b010a7/.default because Marketplace SaaS API is always the target resource in this case.User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.