authenticating to 'management.azure.com' with msal

1
votes

I'm trying to use MSAL with angular to query the list of tenants available to a user. I was previously successfully using adal.js.

This is the request URL: https://management.azure.com/tenants?api-version=2019-11-01
MSAL successfully injects a bearer token into the request.
However, I see the following error in www-authenticate:

www-authenticate: Bearer authorization_uri="https://login.windows.net/", error="invalid_token", error_description="Could not find identity for access token."

I'm a little confused by this error - login.windows.net appears to be part of a deprecated authentication flow.

I've got 'https://management.azure.com/', ['user_impersonation'] inside my protectedResourceMap.
I've tried setting the authority to https://login.microsoftonline.com/{tenantId} as well as the default. The clientId, tenant, etc, have not been changed from ADAL.

Any idea what's going wrong here?

1
adalmsal
If the answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in). This can be beneficial to other community members. Thank you.Tony Ju

1 Answers

0
votes

For adal(v1.0 endpoint), we need to use resource: https://management.azure.com. The authority url is https://login.microsoftonline.com/{tenant}/oauth2/authorize.

For msal(v2.0 endpint), we need to use scope:https://management.azure.com/user_impersonation. The authority url is https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize.