0

I have a WEB API application working via Azure active directory.

I can get the information of all the user in active directory like this:

var app = ConfidentialClientApplicationBuilder.CreateWithApplicationOptions(_applicationOptions).Build();
string[] scopes = { "https://graph.microsoft.com/.default" };

AuthenticationResult result = null;
try
{
    result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
}
catch (MsalServiceException ex)
{
    // Case when ex.Message contains:
    // AADSTS70011 Invalid scope. The scope has to be of the form "https://resourceUrl/.default"
    // Mitigation: change the scope to be as expected
}

// use the default permissions assigned from within the Azure AD app registration portal
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.GetAsync("https://graph.microsoft.com/v1.0/users");
string content = await response.Content.ReadAsStringAsync();

But if I try to get tenants calling

https://management.azure.com/tenants?api-version=2019-06-01

I receive AuthenticationFailed error.

I guess this is because my AccessToken doesn't have the necessary scopes.

How can I fix it?

Improve this question

1 Answer 1

Reset to default
1

You are getting an access token for MS Graph API, not Azure Management API.

Use the following scope:

https://management.core.windows.net/.default

Docs: https://learn.microsoft.com/en-us/rest/api/azure/#authorization-code-grant-interactive-clients

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.