Why is an Azure permission missing from the scopes of my JWT token?

1
votes

I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.

I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:

permission request

From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.

I get this:

scp variable value

I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result. What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.

2
azurepermissionsjwtazure-active-directorymicrosoft-graph-api
Sorry for the images, but I don't have enough Stack Overflow reputation to post them. - J Flex
You need to acquire the token for the https://management.azure.com resource I think. That looks like an MS Graph API token. - juunas
Or with that full scope name if you are using v2 - juunas
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing? - J Flex
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API. - juunas

2 Answers

2
votes

You need to acquire the access token for the https://management.azure.com resource. Or if using v2, request it for the https://management.azure.com/user_impersonation scope.

That looks like an MS Graph API token.

An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.

0
votes

It works now!

So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.

My flow is this now:

  1. I log the user in while asking him to consent to some permissions (for both API's and on first login only)
  2. I request a token in the background for the Graph API scopes
  3. I request a second token for the Azure Management API scopes