Universal Print (UP) Printer Client ID Registration

Required OEM Printer Client Application API Permissions

Universal Print supports OAuth2 authorization access token issued by Azure. Developing a Universal Print ready printer requires the OEM to register a client application with Azure with the required set of permissions. OAuth2 defines 2 types of permission requests.

Delegated Scope Permissions

Scope Display String Description Admin Consent Required
Printers.Create Create and register a new printer. Allows the application to create and register a printer on behalf of the signed-in user. Yes

Application Scope Permissions

Scope Display String Description Admin Consent Required
Printers.Read Read printers the account have access to. Allows the application to read the printers without a signed-in user. Yes
PrinterProperties.ReadWrite Read and write printer properties and attributes the account has access to. Allows the application to read and write printer properties and attributes without a signed-in user. Yes
PrintJob.ReadWriteBasic Read and write the print job metadata. Allows the application to read and write the metadata of users' print jobs without a signed-in user. Yes
PrintJob.Read Read the print job metadata and payload. Allows the application to read the metadata and payload of users' print jobs without a signed-in user. Yes

OEM Printer Client Application Registration

  1. Create a multi-tenant app using your company's app development tenant.
  2. Configure the multi-tenant app to request the required set of permission scopes as defined above.
    • Printers.Create [Delegated]
    • Printers.Read [Application]
    • PrinterProperties.ReadWrite [Application]
    • PrintJob.ReadWriteBasic [Application]
    • PrintJob.Read [Application]

Register new application

new app registration

completing the registration

Copy the registered application ID for later use

save client ID

Set application authentication setting

configure app auth setting

Add required API permissions to application manifest

app manifest

  1. Find requiredResourceAccess section in the manifest
  2. Copy and paste the following required API permissions into the manifest. The simplest way is to replace the entire requiredResourceAccess section of the manifest.
"requiredResourceAccess": [
    {
        "resourceAppId": "da9b70f6-5323-4ce6-ae5c-88dcc5082966",
        "resourceAccess": [
            {
                "id": "3e306194-d6c5-43ad-afbb-0e7b16a9c10b",
                "type": "Scope"
            },
            {
                "id": "1c90a3a7-465b-49c4-adcc-c8ac83d3d3f8",
                "type": "Role"
            },
            {
                "id": "2b1bdd6b-9a0f-47c6-a806-b3e20cfd07a8",
                "type": "Role"
            },
            {
                "id": "b695614a-52ec-4835-9e13-bdf5ff4c7448",
                "type": "Role"
            },
            {
                "id": "11f87dac-027f-4d76-bd29-1ea1536b93da",
                "type": "Role"
            }
        ]
    }
],
Value Description
Scope This resource access is defined to use Delegated permission scope.
Role This resource access is defined to use Application permission scope.
da9b70f6-5323-4ce6-ae5c-88dcc5082966 The ID of Universal Print in the Azure global cloud.
3e306194-d6c5-43ad-afbb-0e7b16a9c10b The ID of Printers.Create permission.
1c90a3a7-465b-49c4-adcc-c8ac83d3d3f8 The ID of PrinterProperties.ReadWrite permission.
2b1bdd6b-9a0f-47c6-a806-b3e20cfd07a8 The ID of Printers.Read permission.
b695614a-52ec-4835-9e13-bdf5ff4c7448 The ID of PrintJob.Read permission.
11f87dac-027f-4d76-bd29-1ea1536b93da The ID of PrintJob.ReadWriteBasic permission.

add permission scopes to manifest

  • Save the changes.

Update OEM Printer Client Application Publisher

By default, the registered application will have an "unverified" publisher. If left unchanged, customers will see "unverified" in the permission consent dialog. Please follow How to: Configure an application's publisher domain to set the application publisher.

For quick reference, the core steps are: application branding page

updated application domain

Note

Once this Printer Client Application ID is integrated into the code running on the printer, the first time a printer using this ID is registering to Universal Print in a customer tenant, the Administrator will be prompted to consent this application.

When the publisher domain is updated to a validated domain, the application permission request consent dialog will display the validated domain value.

application admin consent

Sample OAuth 2.0 Device Authentication Request

Once the above steps have been completed, you can request for verify by issuing a HTTP POST request to https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode with a HTTP body syntax of

  • client_id={registered printer client ID}&scope=https%3A%2F%2Fprint.print.microsoft.com%2F.default
POST https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com

client_id=3e41cb36-3180-4566-bf3d-51ec873419e5&scope=https%3A%2F%2Fprint.print.microsoft.com%2F.default