What scope for Azure resource management with the device authorization grant type?

Question

I'm building a CLI app for provisioning Azure resources. Previously I was using the authorization code flow with the resource set to https://management.azure.com/. Now, I would like to switch to using the RFC 8628 device authorization grant type (Azure documentation). I can successfully login with scopes like openid profile. However, when I use a scope like https://management.azure.com I get an error:

{
  "error": "invalid_scope",
  "error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid https://management.azure.com/ is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.\r\n[..]",
  "error_codes": [70011],
}

I'm sending a POST request with a body like client_id=<client-id>&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default to https://login.microsoftonline.com/<tenant>/oauth2/v2.0/devicecode. With these scopes, I can login just fine, but any subsequent requests to Azure resource management APIs (for example, to DELETE a resource group) will fail with 401 Unauthorized.

Can you try with 41094075-9dad-400e-a0bd-54e686782033 as scope id? — Gaurav Mantri
I did try with https://management.azure.com/.default already, that also didn't work. — djc
I tried with 41094075-9dad-400e-a0bd-54e686782033 and it failed in a different way: "AADSTS65002: Consent between first party applications and resources must be configured via preauthorization. Visit identitydocs.azurewebsites.net/static/aad/preauthorization.html for details". Unfortunately I cannot open that documentation URL ("Selected user account does not exist in tenant 'Microsoft' and cannot access the application 'ad9c3e97-0ae9-4928-a97d-63a69f873726' in that tenant."). — djc
Could you show the doc you are referring to? And your sample request? — Joy Wang

Joy Wang Joy Wang · Accepted Answer · 2020-03-19T09:29:44

If you want to use the device code flow to access the azure resources, please follow the steps as below.

1.Navigate to your AD App in the Azure Active Directory in the portal -> API permissions -> Add a permission -> select Azure Service Management API -> select the user_impersonation.

2.Navigate to the subscription in the portal -> Access control (IAM), make sure your user account used to login has a role e.g. Contributor in the subscription. If not, please add the user as a role in the subscription, follow this doc.

3.In the postman, use the request below.

Request URL:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/devicecode

Request Body:

client_id=<client-id>
scope=https://management.azure.com/user_impersonation

In the browser, navigate to the https://microsoft.com/devicelogin, input the code and login your user account, the app will let you consent the permission, click the Accept.

4.After login successfully, in the postman, use the request below.

Request URL:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Request Body:

grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: <client-id>
device_code: <device_code in the screenshot of step 3>

5.Use the access_token in step 4 to call Azure REST API, e.g. Resource Groups - List, it works fine.

For more details, you could refer to - Microsoft identity platform and the OAuth 2.0 device authorization grant flow.

Besides, to consent the permission successfully in step 3, make sure the setting below( Azure AD -> Enterprise applications -> User settings -> Users can consent to apps accessing company data on their behalf) in your tenant is set to Yes, otherwise, you need to let your admin click the Grant admin consent for xxxx button in step 1.

What scope for Azure resource management with the device authorization grant type?

1 Answers