AADSTS500011 , inserting scope in azure authentication returns error
I am currently trying to verify an access token generated using msal python.
I created my ConfidentialClientApplication like this
app = ConfidentialClientApplication(
"<client_id>", #client id
authority="https://login.microsoftonline.com/<tenant_iD>",
client_credential="<client_secret>",
token_cache=cache)
Then i try to create my access token like this
result = app.acquire_token_for_client(scopes=["<scope>/.default"])
The scope has been exposed on azure portal under "Expose an API" for the resource and has been added by the client under the "API permissions".
if i do not include the scope name , Tokens are generated just fine.
However, I looked at other examples and i notice some people use their scope together with the scope name
eg : api://<application_uri>/USER.READ as opposed to just the application uri like api://<application_uri>
When i use api://<application_uri>/USER.READ in the scope, i get this error instead
{'error': 'invalid_resource', 'error_description': 'AADSTS500011: The resource principal named api://<application_uri>/USER.READWRITE was not found in the tenant named <tenant name>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 64697571-81b1-4d6c-bd61-fa69c7c97700\r\nCorrelation ID: 3bbc9c0f-39d1-4ca3-b15e-918a10391924\r\nTimestamp: 2023-05-02 07:30:44Z', 'error_codes': [500011], 'timestamp': '2023-05-02 07:30:44Z', 'trace_id': '64697571-81b1-4d6c-bd61-fa69c7c97700', 'correlation_id': '3bbc9c0f-39d1-4ca3-b15e-918a10391924', 'error_uri': 'https://login.microsoftonline.com/error?code=500011'}
cache <msal.token_cache.SerializableTokenCache object at 0x000001946C97FFD0>
I have been trying to look for answers for weeks now, anyone can help?
Note that: Client Credentials flow requires Application API permissions. Delegated API permissions are passed while using user interactive flow such as Authorization Code flow etc.
While using Client Credentials flow you have to make use of /.default or when using v1 endpoint use api://ClientID.
The error AADSTS500011 usually occurs if you are passing invalid resource like below:
resource: api://ClientID/user.read
I created an Azure AD Application and added API permissions like below:
When expose an API is done and added scope it is taken as delegated API permission.
Now, I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
client_secret:ClientSecret
resource:api://ID
grant_type:client_credentials
When I decoded the token, the aud is api://xxx but scope isn't displayed as delegated API permission been passed in Client Credential flow:
Hence, to resolve the issue create App roles like below:
Add the App role to the API permissions blade like below:
I generated the access token in Postman via Client Credential flow:
resource: api://ClientID
When I decoded the token, the app role is successfully displayed like below:
- I generated access token using Authorization code flow like below:
https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
grant_type:authorization_code
scope:api://xxx/User.Read
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
When I decoded the token, the delegated scope displayed successfully like below:
Reference:
MSAL Python 1.22.0 documentation (msal-python.readthedocs.io)
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs