Microsoft-authentication-library-for-js: Failed to acquire token when using microsoft personal accounts

Created on 11 Jan 2021 · 3Comments · Source: AzureAD/microsoft-authentication-library-for-js

Library

[@] @azure/[email protected]

Framework

[@] React

Description

The login url is "https://login.microsoftonline.com/common/".
Works well and nothing happens when using organization account (microsoft.com). But when using Microsoft personal account (outlook.com or live.com), it fails to acquire token (login succeeded). The required scope is Azure Resource Management (https://management.core.windows.net//.default) and GraphAPI (https://graph.microsoft.com//.default)

Error Message

Silent acquire token failed: {"errorCode":"invalid_scope","errorMessage":"70011 - [2021-01-11 10:21:24Z]: AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope 'https://management.core.windows.net//.default openid profile' does not exist.\r\nTrace ID: 73436aa3-42ad-401d-b7f5-e529e9721900\r\nCorrelation ID: 47b11ef0-40e9-4401-85d2-90a8cd3051b6\r\nTimestamp: 2021-01-11 10:21:24Z - Correlation ID: 47b11ef0-40e9-4401-85d2-90a8cd3051b6 - Trace ID: 73436aa3-42ad-401d-b7f5-e529e9721900","name":"ServerError"}

MSAL Configuration

this._msal = new PublicClientApplication({
    auth: {
      clientId: clientId,
      authority: instance + (tenantId || "common"),
      redirectUri: window.location.origin,
      postLogoutRedirectUri: window.location.origin,
    },
}
     )
);

Reproduction steps

    const account = await this._handleRedirectPromise;
    const request: SilentRequest = {
      scopes: params.scopes,
      account: account?.account ?? this._msal.getAllAccounts()[0],
      authority:
        this._appMetadata.environment.aadInstance + (params.tenant ?? "common"),
    };
      const result = await this._msal.acquireTokenSilent(request);

Expected behavior

successfully returns the token

Identity Provider

[@] Azure AD

Regression

[@] Did this behavior work before?
Version: it works in [email protected]

Source

[@] Internal (Microsoft)

question

Source

atvoid

Most helpful comment

@atvoid This is expected behavior, as Azure Resource Management scopes are not available to MSA accounts.

@jo-arroyo totally disagree. In msal 1.0 version, I can get token of ARM by using MSA account. If not, how does MSA users use Azure ? It is ridiculous if we don’t support in 2.0

atvoid on 12 Jan 2021

👍3

All 3 comments

@atvoid This is expected behavior, as Azure Resource Management scopes are not available to MSA accounts.

jo-arroyo on 11 Jan 2021

👎2

@atvoid This is expected behavior, as Azure Resource Management scopes are not available to MSA accounts.

@jo-arroyo totally disagree. In msal 1.0 version, I can get token of ARM by using MSA account. If not, how does MSA users use Azure ? It is ridiculous if we don’t support in 2.0

atvoid on 12 Jan 2021

👍3

@atvoid Apologies, for ARM scopes, you will have to use login.microsoftonline.com/organizations instead of /common for MSA accounts. You will also have to enable MSA Passthrough in your application settings. Please try that and let me know if it works.

jo-arroyo on 13 Jan 2021

Was this page helpful?

0 / 5 - 0 ratings