How to get JWT from Microsoft Entra ID with an API scope when doing implicit flow?
There is an App Registration in Azure where the client id is 00001111-aaaa-2222-bbbb-3333cccc4444 and a scope is api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473/access_as_user and a redirect URI is https://jwt.ms. What would be the browser openable URL that redirects to https://jwt.ms and shows JWT with scope on it?
If one uses the Azure CLI, the commands would be something like
az login --scope api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473/access_as_user
az account get-access-token --resource "api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473" --scope "api://3f4c1d35-3161-4c45-b5ec-ff7be4e89473/access_as_user" --query accessToken
if one uses following URL
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&response_type=id_token
&redirect_uri=https%3A%2F%2Fjwt.ms
&scope=openid%20api%3A%2F%2F3f4c1d35-3161-4c45-b5ec-ff7be4e89473%2Faccess_as_user
&response_mode=fragment
&state=12345
&nonce=678910
The scope is not included in JWT.
Here is how to do this:
Register a Single-Tenant Microsoft Entra ID Application and add redirect_uri: https://jwt.ms:
Configure the authentication tab of application like below:
Add the Application ID URI and expose an API access_as_user like below:
Now add the access_as_user permission and grant Admin Consent:
Now, run the below request in the browser:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<application-id>
&response_type=token
&redirect_uri=https://jwt.ms
&scope=api://<application-id>/access_as_user
&response_mode=fragment
&state=12345
&nonce=678910
You should now successfully get scp in your JWT:
- Azure CLI Bash - attaching an app insights resource to api managment
- Install azure cli via brew not working in mac m1
- Assigning multiple tags to a resource via Azure CLI results in one big tag when using a variable
- How to deploy app service with private endpoint and custom domain in a self hosting devops agent
- Getting error when running az extension add --name serviceconnector-passwordless
- Expose api on an app registration using a script
- How to get JWT from Microsoft Entra ID with an API scope when doing implicit flow?
- Azure Command-Line Interface (CLI) error running .NET 8 console app
- Azure won't show roleDefinition for directory roles
- Get info about approvals and checks for Azure DevOps environments
- ./<bundle_name> --environment <environment_name> not working on azure console
- JMESPath extract raw values from list
- Redeploy .NET Aspire project after resource cleanup
- Configuring Azure Front Door (with Azure CLI): Adding route with multiple custom domains
- Azure CLI Never Ending task
- Github Action to deploy to Azure fails (no changes made) - "Containerapp does not exist"
- Configuring Azure Front Door with Azure CLI issues
- Get-AzApplicationInsights is not recognized
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Cannot assign Azure Role for cosmos db
- why az login stopped using browser and now uses "email and accounts". How to revert it?
- Cannot update Azure DevOps wiki from pipeline
- "az webapp identity assign" command throws LinkedInvalidPropertyId
- Az CLI: Cannot run pipeline with runtime parameters
- Can the default error color be changed in Python?
- Updating web redirect uri of Azure AD app registration
- Size of Azure Storage Account inconsistent in CLI and Azure Portal
- Pass CLI command output into Terraform for_each expression
- How can i list the different instances of a Azure app service and restart an instance?
- How to get the Resource Group ID with Azure CLI?