Azure mulit-tenant application not getting tokens with newly defined scopes

1
votes

I am developing a Azure multi-tenant application that uses scopes from the Microsoft Graph API and the Windows Azure Active Directory resources. We are using the v1 OpenID auth code flow.

Recently we added a few more requested scopes to the Microsoft Graph API, we prompted users to reauth using prompt=admin_consent and resource=https://graph.microsoft.com on our /common/oauth2/token exchange.

When the user is prompted to accept scopes again you can see the newly requested scopes and the call seems to complete successfully, we receive a new access_token.

However the scopes that come back in the response AND the embedded JWT claim for scopes only lists a small subset of the requested scopes and they also only seem to be from one of the resources (Windows Azure Active Directory).

We are receiving 403s for the new scopes so I do not think it is a issue of not correctly populating those scope fields.

Does anyone know why the auth flow would not return a token with the newly requested scopes?

Here is a listed of my requested scopes:

Windows Azure Active Directory

  • Read and write directory data (Application)
  • Access the directory as the signed-in user (Delegated)
  • Read and write directory data (Delegated)
  • Sign in and read user profile (Delegated)

Microsoft Graph

  • Read and write calendars in all mailboxes (Application) (NEW)
  • Read and write all users' full profiles (Application)
  • Read and write directory data (Application)
  • Send mail as any user (Application) (NEW)

Scopes Accept Page

Thanks!

1
azureoauth-2.0azure-active-directorymicrosoft-graph-apiazure-ad-graph-api
When you request the ID Token are you requesting a specific resource or leaving it blank? Did you have an Administrator go through the Admin Consent flow before testing with a normal user?Marc LaFleur
We don't specify a resource on /common/oauth2/authorize but we do send resource=https://graph.microsoft.com (if not specified we get a 400 from the endpoint) on the /common/oauth2/token call. Yes we have users reauth using prompt=admin_consent on next login.keystone
prompt=admin_consent forces the Admin Consent flow, prompt=consent is used for force User Consent. They are different things. Have you tried prompt=consent?Marc LaFleur
If I am requesting application scopes, in order to use them offline, I would want the admin to accept those scopes correct?keystone
I attempted prompt=consent instead of prompt=admin_consent. No difference in the original problem. The new scopes are still not present in the response body nor the JWT token.keystone

1 Answers

1
votes

When you make a token request against AAD v1 by specifying a specific resource, the access token returned will contain only the scopes required to access that specific resource. The details and example of the protocol is documented here.

Therefore, if you need to access two resources you will need to request access token for each of them and the corresponding tokens will contain the scopes specific to that resource.

In this case, if the AAD Graph scopes are available in MS Graph, you can consolidate them under the MS Graph and request a single token for MS Graph. During the auth flow, you can control which of these scopes you want to request consent for by specifying them in the scope field of the auth request as mentioned in the description of the parameter here.