windows-itpro-docs/windows/client-management/mdm/management-tool-for-windows-store-for-business.md

title, description, MS-HAID, ms.reviewer, manager, ms.author, ms.topic, ms.prod, ms.technology, author, ms.date

title	description	MS-HAID	ms.reviewer	manager	ms.author	ms.topic	ms.prod	ms.technology	author	ms.date
Management tool for the Microsoft Store for Business	The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk.	p_phdevicemgmt.business_store_portal_management_tool p_phDeviceMgmt.management_tool_for_windows_store_for_business		aaroncz	vinpa	article	w10	windows	vinaypamnani-msft	10/27/2017

Management tool for the Microsoft Store for Business

The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.

Here's the list of the available capabilities:

• Support for enterprise identities – Enables end users within an organization to use the identity that has been provided to them within the organization. This feature enables an organization to keep control of the application and eliminates the need for an organization to maintain another set of identities for their users.
• Bulk acquisition support of applications – Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually.
• License reclaim and reuse – Enables an enterprise to keep value in their purchases by allowing the ability to unassign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization, they keep ownership of the application.
• Flexible distribution models for Microsoft Store apps – Allows enterprises to integrate with an organization's infrastructure. It also allows the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
• Custom Line of Business app support – Enables management and distribution of enterprise applications through the Store for Business.
• Support for Windows client devices - The Store for Business supports client devices.

For more information, see Microsoft Store for Business and Education.

Management services

The Store for Business provides services that enable a management tool to synchronize new and updated applications for an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provide several features, including providing application data, can assign and reclaim applications, and can download offline-licensed application packages.

• Application data: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This metadata includes:

  • The application identifier that's used to deploy online license applications
  • Artwork for an application that's used to create a company portal
  • Localized descriptions for applications

• Licensing models:

  • Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity, and rely on the store services on the device to get an application from the store. It's similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
  • Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed applications don't require connectivity to the store. It can be updated directly from the store if the device has connectivity, and the app update policies allow updates to be distributed using the store.

Offline-licensed application distribution

The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.

Online-licensed application distribution

The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application.

Integrate with Azure Active Directory

The Store for Business services use Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business.

The following articles have more information about Azure AD, and how to register your application within Azure AD:

• Adding an application to Azure Active Directory - Azure Active Directory integration with MDM
• Accessing other Web applications and configuring your application to access other APIs - Integrating Applications with Azure Active Directory
• Authenticating to the Store for Business services via Azure AD - Authentication Scenarios for Azure Active Directory

For code samples, see Microsoft Azure Active Directory Samples and Documentation in GitHub. Patterns are similar to Daemon-DotNet and ConsoleApp-GraphAPI-DotNet.

Configure your Azure AD application

See Quickstart: Register an application with the Microsoft identity platform for the steps to configure your Azure AD app.

Azure AD Authentication for MTS

MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The authorization token is for the Azure AD application representing the MDM component (service/daemon/on-prem instance) within the context of the directory/tenant it will be working on behalf-of.

Here are the details for requesting an authorization token:

• Login Authority = https://login.windows.net/<TargetTenantId>
• Resource/audience = https://onestore.microsoft.com: The token audience URI is an application identifier for which the token is being generated. It's not a URL for a service endpoint or a web page.
• ClientId = your Azure AD application client ID
• ClientSecret = your Azure AD application client secret/key

Using the management tool

After you register your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:

• First the ability to get new or updated applications.
• Second the ability to assign or reclaim applications.

The diagram below shows the call patterns for acquiring a new or updated application.

Here is the list of available operations:

• Get Inventory
• Get product details
• Get localized product details
• Get offline license
• Get product packages
• Get product package
• Get seats
• Get seat
• Assign seats
• Reclaim seat from user
• Bulk assign and reclaim seats for users
• Get seats assigned to a user