Get resource manager access token from msal login

1
votes

I am creating a web app (javascript/HTML) that enables me to manage azure resources on a user's behalf. I want to use MSAL to login a user and obtain an access token for the Azure Resource Manager. Is this possible? When I try the below code the popup is restricted to work/school logins (I want it to be accessible to all accounts) and fails when I use a work email stating the app is not supported for your organization _____ because it is in an unmanaged state.

Here is what I do:

I create a MSAL object.

    var myMSALObj = new Msal.UserAgentApplication(applicationConfig.clientID, applicationConfig.authority, acquireTokenRedirectCallBack,
        {storeAuthStateInCookie: true, cacheLocation: "localStorage"});

I then call loginPopup and pass in management.azure.com as the scope.

myMSALObj.loginPopup("https://management.azure.com/.default")
.then(
function (idToken){
myMSALObj.acquireTokenSilent("https://management.azure.com/.default")
})

Note: I also tried setting the scope to: https://management.azure.com/user_impersonation.

I have registered an Azure app and the manifest specifies requiredResourceAccess to include Azure Service Management and "signInAudience" is set to "AzureADandPersonalMicrosoftAccount".

How do I use MSAL login with a scope that requests access to azure resources?

1
azureadalmsal

1 Answers

0
votes

I want to use MSAL to login a user and obtain an access token for the Azure Resource Manager. Is this possible?

Yes, it is possible.

How do I use MSAL login with a scope that requests access to azure resources?

The scope https://management.azure.com/.default is correct. Make sure the authority is https://login.microsoftonline.com/common. I think you might missed something when you register the application. You can refer to this document to check again.

Update

Here are the detailed steps for your reference.

1.Click App registrations(Preview)->New registration enter image description here

2.Click Authentication->check Access tokens and ID tokens. enter image description here

3.Update your code with this client id.

var applicationConfig = {
    clientID: '2ac327fd-4803-4ed3-****31fc8dfbbf18', //This is your client ID
    authority: "https://login.microsoftonline.com/common", 
    Scopes: ["https://management.azure.com/.default"]
};
var myMSALObj = new Msal.UserAgentApplication(applicationConfig.clientID, applicationConfig.authority, acquireTokenRedirectCallBack,
    { storeAuthStateInCookie: true, cacheLocation: "localStorage" });

function signIn() {
    myMSALObj.loginPopup(applicationConfig.graphScopes).then(function (idToken) {
        //Login Success
        showWelcomeMessage();
        acquireTokenPopupAndCallMSGraph();
    }, function (error) {
        console.log(error);
    });
}

Now you will be able to login with the work and school accounts from Azure AD and personal account.