Question: Clarification on communicating with multiple APIs and OBO tokens (esp. management.azure.com)
See original GitHub issueContext I’m successfully using MSAL to authenticate users against an AD app in an Azure AD
I have a CCA talking to https://login.microsoftonline.com/<tenant>
and performing AcquireTokenOnBehalfOfAsync
, giving me valid OBO token which works as authorization against graph.windows.net
Note Some of this question may be better aimed at the Azure team but I hope I can get some response as to whether my expectations are correct
Question My goal is to use an OBO token to communicate with the Azure resource graph via management.azure.com
In the Azure portal I can add Azure management API user_impersonation
as a scope to my application like so:
This is desirable because I want to be able to talk to management.azure.com
What I do not understand is how to actually consume this API
- The portal divides scopes by API, and I’m not sure what this actually means. For example, when acquiring an OBO token, I cannot just add
user_impersonation
as a scope since it does not work - Should I be using an additional CCA to establish communication with management.azure.com? (wherein
user_impersonation
will be an acceptable scope?) - Am I correct in assuming that OBO tokens (or any tokens for that matter) are scoped by API?
Additionally:
- Is
user_impersonation
really what I want in this instance? This permission is in preview and the documentation doesn’t really explain a lot about it. Is it a good thing to be using or is it, for example, in preview because it’s a legacy compatibility measure or something?
TLDR How do I use MSAL to get valid tokens across multiple APIs (e.g. management.azure.com especially) and how does OBO work in this situation? Are OBO tokens API scoped?
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (4 by maintainers)
Top GitHub Comments
@jmprieur thanks for all your help, I have this flow working properly and the samples you’ve linked to were extremely useful
This is the expected behavior, @DavidR91 : the Microsoft identity platform (formerly Azure AD) v2.0 endpoint allows you to get tokens for only one resource, and here you have two (Graph and ARM). Something you could try is preconsent when you start your Web App (assuming this is a Web App), by adding a bunch of options.Scopes.Add() somewhere like here: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/c34fac62333c3eaac90a9699bdeb16543dd36220/Microsoft.Identity.Web/StartupHelpers.cs#L43