Our system needs to access resources in Azure, and so in our current authentication code we have support for ADAL that works well for this purpose.
Now that MSAL is replacing ADAL, we would like to preemptively add support for it. We are now creating a function that generates an oauth2 access_token using MSAL instead of ADAL.
We have followed the migration guide, but there is one issue that we don't find an answer to.
When using ADAL, we would supply a resource_id containing an ID that would identify the system we are talking about. Usually this resource_id was copied from Azure portal.
In MSAL there is no resource_id, instead we are supposed to use a list of scopes instead. If we naively use the existing resource_id as a scope like this:
resource_id = "XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX"
scopes = [ resource_id ]
We get the following error:
Error fetching MSAL token (invalid_scope):
AADSTS70011: The provided request must include a 'scope' input parameter.
The provided value for the input parameter 'scope' is not valid.
The scope XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX is not valid.
E Trace ID: XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
E Correlation ID: XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX
E Timestamp: 2020-03-05 09:36:03Z
So the question is, what is the proper way to prepare a resource ID on the form XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX to a valid scope for MSAL?
EDIT: The answer to this question was tested and used in a small Python package to simplify authenticating with Azure using Requests called requests_ms_auth that is also available as a pypi package.
