How do you request the Azure Resource Management endpoint scope correctly with MSAL?

2
votes

So I read that if you add .default at the end of a resource URI in a scope it would return us a a proper v1 token. When setting the protectedResourceMap for MSAL what exactly should the scope be? 'https://management.azure.com/.default' doesn't seem to work. Nor does 'https://management.azure.com/user_impersonation'.

What is the proper way to setup the scope so when requesting consent to our app they approve the Azure management APIs?

1
azureazure-active-directorymsalmsal.js
If you're looking for resource URI try https://management.core.windows.net/.Rohit Saigal
@RohitSaigal management.core.windows.net is for classic deployed resources. All modern ARM based resources are at the new management.azure.com endpoint. Aren't they entirely different scopes?Dana Epp
https://management.core.windows.net/ corresponds to Windows Azure Service Management API. The reason I mentioned it for you was, I came across a sample on Microsoft Docs which talks about building a web app that asks user to grant access to Azure Resource Manager.. and for acquiring token the sample uses the above mentioned resource URI. Here is the specific link.. docs.microsoft.com/en-us/azure/azure-resource-manager/… also take a look at the diagram at the top of this page.Rohit Saigal

1 Answers

2
votes

Use two slashes like this:

https://management.core.windows.net//.default

"This is because the ARM API expects a slash in its audience claim (aud), and then there is a slash to separate the API name from the scope."

Source: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal

Here's a complete example:

void Main()
{
    var tenantId = "<tenantId>";
    var clientId = "<clientId>";
    var clientSecret = "<clientSecret>";

    var credentials = GetCredentials(tenantId, clientId, clientSecret);
    Console.WriteLine(credentials);
}

public static async Task<AuthenticationResult> GetCredentials(string tenantId, string clientId, string clientSecret)
{
    string authority = $"https://login.microsoftonline.com/{tenantId}/";
    IConfidentialClientApplication app;
    app = ConfidentialClientApplicationBuilder.Create(clientId)
                                              .WithClientSecret(clientSecret)
                                              .WithAuthority(new Uri(authority))
                                              .Build();

    IEnumerable<string> scopes = new List<string>() { "https://management.core.windows.net//.default" };
    var result = await app.AcquireTokenForClient(scopes)
          .ExecuteAsync();
    return result;
}

Screenshot of the AuthenticationResult object in LINQPad: Screenshot of the AuthenticationResult object in LINQPad

Sample code from here: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon