Register an application
Important
In June 2022, we introduced multi-factor authentication as a requirement for Bing Ads. You may still need to make a code change in order to become compliant with this requirement. Microsoft Advertising is performing technical enforcement checks in early October.
This blog post outlines the steps you should take to ensure compliance.
For more information, see the multi-factor authentication requirement guide.
Before your application can authenticate Microsoft Advertising users, you must register your application in an Azure Active Directory (AAD) tenant and get the corresponding client ID and client secret.
Navigate to the Microsoft identity platform for developers in the Azure portal - App registrations page. You can log in using or a Work or School Account. Note: You can no longer log in using a personal Microsoft account.
Select New registration.
When the Register an application page appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
My browserless client
. - In the Supported account types section, select Accounts in any organizational directory and personal Microsoft accounts.
Important
You must select Accounts in any organizational directory and personal Microsoft accounts during the initial app registration. This setting cannot be updated later in the portal unless you modify the application manifest e.g.,
"signInAudience": "AzureADandPersonalMicrosoftAccount"
.- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
Select Register to create the application.
On the app Overview page, find the Application (client) ID value and record it for later. You will use it as the
client_id
when you request user consent and get an access token.Select the Add a Redirect URI link and then you should see the Redirect URIs page.
- For web applications, provide the base URL of your application. For example, http://localhost:31544 might be the URL for a web application running on your local machine. Users would use this URL to sign into a web client application.
- For public applications, locate the Suggested Redirect URIs for public clients (mobile, desktop) section. Select the https://login.microsoftonline.com/common/oauth2/nativeclient URI.
Important
Clients running apps on services that span regions and devices such as Microsoft Azure should register a web application with client secret. You can get a refresh token on one device and refresh it on another so long as you have the same client ID and client secret. If you register a public application without a client secret, then you cannot use a refresh token across devices. A confidential token is bound to the client secret.
For web applications, select Certificates & secrets under Manage. Select the New client secret button. Enter a value in Description, select any option for Expires and choose Add. Copy the client secret value before leaving the page. You will use it later as the
client_secret
to get an access token.
Application behavior
- Registered application behavior is determined by how your Azure AAD tenant has been set up and how users can provide the consent for any app during authentication process. Your Azure AAD tenant administrator can review user consent settings here: https://video2.skills-academy.com/azure/active-directory/manage-apps/configure-user-consent?pivots=portal#configure-user-consent-settings.
- If you are trying to authenticate but receive error AADSTS650052, there are a few different root causes for this issue. This likely means that the Microsoft Advertising application ID (00001111-aaaa-2222-bbbb-3333cccc4444) doesn't exist in your tenant. This can happen if you are trying to authenticate to a tool provider and never created your own Azure App registration and added msads.manage to it. To fix this, you will need to contact the Active Directory administrator and have them run the following Graph API call to add the Microsoft Advertising app to your tenant.
POST https://graph.microsoft.com/v1.0/servicePrincipals Content-type: application/json { "appId": "00001111-aaaa-2222-bbbb-3333cccc4444" }
- After running the above command, you may also need to have your administrator grant consent to your tool provider by running the following URL in your browser. This URL grants consent to SA 360. Please replace "client_id=1234" with your tool provider's client ID and replace "tenantID" with your tenant ID: https://login.microsoftonline.com/"tenantID"/v2.0/adminconsent?client_id=00001111-aaaa-2222-bbbb-3333cccc4444&state=12345&scope=00001111-aaaa-2222-bbbb-3333cccc4444/msads.manage
- If you are still experiencing issues after following the above steps, please contact support.
- If you are trying to authenticate but receive error AADSTS650052, there are a few different root causes for this issue. This likely means that the Microsoft Advertising application ID (00001111-aaaa-2222-bbbb-3333cccc4444) doesn't exist in your tenant. This can happen if you are trying to authenticate to a tool provider and never created your own Azure App registration and added msads.manage to it. To fix this, you will need to contact the Active Directory administrator and have them run the following Graph API call to add the Microsoft Advertising app to your tenant.