Usage and Authorized Applications guidelines

  • Article

In this article
Usage guidelines
Authorized Applications
Microsoft account Delegated Authentication service and Microsoft account Web Authentication service

Usage guidelines

You must:

You may not:

  • i. use the Live SDK or access the Microsoft Services except through an Authorized Application;

  • ii. take any action on behalf of an end user unless the end user has expressly granted you permission to take that action;

  • iii. transmit or propagate any virus, worm, or other harmful code;

  • iv. attempt to install any computer code on an end user's computer without first obtaining the end user's informed consent;

  • v. damage or disrupt, or attempt to gain unauthorized access to, an end user's computer or any Microsoft infrastructure (including any Microsoft server computers);

  • vi. use the Live SDK in a way that harms us, or any customer of a Microsoft party;

  • vii. encourage or require any end user or other entity to breach the terms of this Agreement or the Microsoft Services Agreement;

  • viii. encourage or require any end user or other entity to provide to you, or any party other than Microsoft, a password to a Microsoft account;

  • ix. transmit, offer, sell, advertise, license or deliver any infringing, defamatory, offensive or illegal products, services, content or other materials;

  • x. mislead any end user, including without limitation with respect to the source or origin of content or functionality on, or the operation of, any Authorized Application;

  • xi. exploit minors in any way;

  • xii. use any unauthorized means to use, access, modify or reroute, or attempt to use, access, modify or reroute, the Live SDK or Microsoft Services;

  • xiii. damage, disable, overburden or impair the Live SDK (or any network connected to the Microsoft Services) or interfere with anyone's use and enjoyment of the Live SDK;

  • xiv. except as expressly permitted in the Live SDK License Agreement, copy, modify or republish any Microsoft software that is a component of the Live SDK;

  • xv. use more than one Client ID in connection with a single Authorized Application;

  • xvi. falsify or alter an Client ID or any unique referral identifier in, or assigned to, an Authorized Application, or otherwise obscure or alter the source of queries coming from an Authorized Application;

  • xvii. intentionally omit or obscure any advertising we provide via the Live SDK or Microsoft Services;

  • xviii. resell the Live SDK, Microsoft Services or any part of any of the foregoing; or

  • xix. use any means we don't authorize under this Agreement to modify, reroute, or gain access to the Live SDK, APIs or the Microsoft Services, or attempt to carry out these activities; or use any automated process or service (such as a bot, a spider, periodic caching of information stored by Microsoft, or meta-searching) to access or use any of the foregoing.

Client ID. Depending on the type of Live SDK that you use, you may need to obtain a client identifier that enables an Authorized Application to access and use the Live SDK on a nonexclusive basis ("Client ID"). After you have agreed to the terms of this Agreement, and supplied all required information, we may provide you with online access to a Client ID. All information you provide to us as part of the Client ID provisioning process must be accurate. You are solely and entirely responsible for all uses of the Live SDK occurring under your Client ID.

Update to Usage guidelines. Microsoft may periodically update any of its policies and guidelines, which may be found at the above URLs or their successors, and these updated policies and guidelines will, on notice (which may include email) to you, be understood to replace the versions that they superseded.

Authorized Applications

a. Sign-in

You and your Authorized Application must present the end user with a sign-in screen with Microsoft branding as set forth in the OneDrive Branding Guidelines. You and your Authorized Application Sign-in screen must allow end users to:

  • i. sign up (on a one-time basis) to obtain a Microsoft account;

  • ii. sign-in to Microsoft Services; and

  • iii. agree (via an opt-in check box) to (1) allow the Authorized Application to access and modify certain content in relation to the end user, (2) import the end user s Microsoft data into the Authorized Application, and (3) export end user data for such end user into that end user s associated Microsoft account.

You and your Authorized Application may allow end users who have connected their Authorized Application with their Microsoft account to automatically sign-in to Microsoft Services, so that the end user is not prompted to sign-in with Microsoft account credentials each time the end user wants to connect your Authorized Application to the end user s Microsoft account.

b. User Control

You and your Authorized Application will give end users:

  • i. the ability to control and configure the scope of data being shared by Microsoft with you and your Authorized Application;

  • ii. the ability to modify their settings from time to time through a settings page that contains clickable links to your privacy policy, and terms of use for the Authorized Application; and

  • iii. the ability at any time to disconnect the Authorized Application from their Microsoft account.

a. Connection and Data Use

You and your Authorized Application will:

  • i. include prominent and persistent graphical indicators within the Authorized Application clearly showing the end user when such end user is connected to the Microsoft Services, as set forth in the Branding Guidelines;

  • ii. include prominent links to your privacy policy and terms of use for the Authorized Application;

  • iii. clearly inform each end user and obtain the end user s express (opt-in) acknowledgement and consent that end user data will be shared with Microsoft and that such data will be subject to the Microsoft Online Privacy Statement, and available for use with the end user s Microsoft account;

  • iv. only use any end user data from Microsoft Services in or in relation to your Authorized Application;

  • v. not use, display, or store end user data in any way that the end user has not expressly agreed to or that is inconsistent with your Authorized Application s privacy policy and terms of use, or in violation of any law;

  • vi. delete all end user data when directed to do so by the applicable end user;

  • vii. update all end user data for a given end user as soon as practicable after that end user accesses the Authorized Application and connects to Microsoft Services;

  • viii. not transfer to any third party any end user data from the Microsoft Service (including aggregate or anonymous information) without the end user s express (opt-in) consent; and

  • ix. respect end user control of end user data that is transferred from, or end user data that is transferred to, Microsoft Services.

The Microsoft account Delegated Authentication service may provide delegation control information to you. Delegation control information is system data such as authentication tokens, delegation tokens, identifiers for end users and other data not normally exposed to end users. You may use the delegation control information only as part of the Authorized Application to which the information was first sent. This information is sent to a single Authorized Application and may not be shared with other applications or websites. Also, you may only use the delegation control information for a particular end user to obtain access to that end user's data.

You may not use any automated process or service to access or use the Microsoft account Delegated Authentication service or the Microsoft account Web Authentication service, other than in direct response to an interactive request from an end user to authenticate in the Authorized Application.

Any Authorized Application that makes use of the Microsoft account Delegated Authentication service or Microsoft account Web Authentication service must provide a prominent link in order to permit end users to easily sign out of their Microsoft account. All applications under your control, including without limitation the Authorized Application, will respect an end user decision to sign out and will not cache or otherwise retain an association between an end user who has signed out and any identity that is based on the results returned from the service.

Microsoft account Delegated Authentication service and Microsoft account Web Authentication service

The Microsoft account Delegated Authentication service may provide delegation control information to you. Delegation control information is system data such as authentication tokens, delegation tokens, identifiers for end users and other data not normally exposed to end users. You may use the delegation control information only as part of the Authorized Application to which the information was first sent. This information is sent to a single Authorized Application and may not be shared with other applications or websites. Also, you may only use the delegation control information for a particular end user to obtain access to that end user's data.

You may not use any automated process or service to access or use the Microsoft account Delegated Authentication service or the Microsoft account Web Authentication service, other than in direct response to an interactive request from an end user to authenticate in the Authorized Application.

Any Authorized Application that makes use of the Microsoft account Delegated Authentication service or Microsoft account Web Authentication service must provide a prominent link in order to permit end users to easily sign out of their Microsoft account. All applications under your control, including without limitation the Authorized Application, will respect an end user decision to sign out and will not cache or otherwise retain an association between an end user who has signed out and any identity that is based on the results returned from the service.