Azure-docs: Bug Report: Generated Access Token With Wrong Scopes

@johnz Thank you for your feedback . We will investigate and update this thread further.

Hi @shashishailaj do you have any update on this?

@shashishailaj We got this issue as well and can't release the new feature based on it. Thanks for the help.

Thanks for raising this John, looks like it will be a problem for my team too. Appreciate updates on this @shashishailaj

Please help @shashishailaj we have this problem too. can you please advise the expected time of resolution?

Hello @johnz,

Thanks for reaching out.

I tracked the request based on the request ID that you shared and I found that the application is a multitenant app and user from a different tenant is trying to access the application. I have tried to replicate the issue that you shared at my end but I was successfully able to get all the scopes mentioned in the request.

1. Registered application in {tenant1} and specified the App ID in below request for authorization code. I have replaced {tenantID} with common to allow home tenant discovery based on the UPN suffix of the user.
   https://login.microsoftonline.com/**common**/oauth2/v2.0/authorize?client_id=98eb0e86-xxxx-xxxx-xxxx-f999e3828b75&response_type=code&redirect_uri=https://jwt.ms&response_mode=query&scope=offline_access+User.Read.All+Reports.Read.All+AuditLog.Read.All+Directory.Read.All+SecurityEvents.Read.All
2. Accepted the consent prompt and copied the CODE for next call:
   
3. Made an access and refresh token request with below parameters including CODE from previous step and confirmed all the requested scopes are present in the access token.
   POST https://login.microsoftonline.com/{tenant2}.onmicrosoft.com/oauth2/v2.0/token

grant_type:authorization_code
code:OAQABAAIAAACQ....
client_id:98eb0e86-xxxx-xxxx-xxxx-f999e3828b75
client_secret:**************
redirect_uri:https://jwt.ms

1. Finally, redeemed the Refresh token to get new access token by making below call and confirmed all requested scopes are present.
   POST https://login.microsoftonline.com/{tenant2}.onmicrosoft.com/oauth2/v2.0/token

grant_type:refresh_token
refresh_token:OAQABAAAAAACAA.....
client_id:98eb0e86-xxxx-xxxx-xxxx-f999e3828b75
client_secret:**************
response_type:token

I tested by including Scopes in the request body as well and received all scopes in the token:

grant_type:refresh_token
refresh_token:OAQABAAAAAACAA.....
client_id:98eb0e86-xxxx-xxxx-xxxx-f999e3828b75
client_secret:**************
response_type:token
scope:profile openid email User.Read.All Reports.Read.All Directory.Read.All

I also tried to replicate the issue with user from same tenant where the application is registered and didn't encounter any issues with missing scopes in the token.

Could you please try these steps again and let me know if you are still facing this issue.

@amanmcse yes, this is a multi tenant app, we are trying to support different way to connect to the app. The scenario doesn’t work is:

App registered in tenant1,
Partner center admin from tenant2 try to access his customer - tenant3 data using the app

In this case Customer(tenant3) delegate administration privileges to partners(tenant2).
https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges

In the login step we specify tenant3 id in the login url and use tenant2 account to login

if decode the access token should see idp(identity provider)
"idp": "https://sts.windows.net/{tenant2}/"
"tid": "{tenant3}"

@johnz As per what you have mentioned, I have some doubts about the technical feasibility of your request . And hence this may need deep troubleshooting to assess the same . Please send us an email on azcommunity[at]microsoft[dot]com and we will help you with alternate support options to see the feasibility of the same. We will close this issue for now and will continue to work with you offline on this . Please do send us an email and we will continue this further.

Thank you.