2

I am trying to register users from the Azure Active directory using @azure/msal-angular, to be more precise I tried the following tutorial

Those are the changes I have made to the project

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: 'my_real_client_id,
      redirectUri: 'http://localhost:4200',
      authority: 'https://login.microsoftonline.com/my_real_tenant_id',
      postLogoutRedirectUri: '/'
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
      storeAuthStateInCookie: isIE, // set to true for IE 11
    },
    system: {
      loggerOptions: {
        loggerCallback,
        logLevel: LogLevel.Info,
        piiLoggingEnabled: false
      }
    }
  });
}

  export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read']);
  protectedResourceMap.set('http://localhost:5000/', ['profile']);

  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

The problem is that MsalInterceptor adds V1 token to the URL for the request to my API which expects V2.

Azure is configured to accessTokenAcceptedVersion: 2

I can provide more information if needed

Update

In my case, the problem was due to the scopes specified, both API for "user.read" and "profile" require V1 accessToken

Cristian Flaviu
  • 275
  • 2
  • 7
  • 18

1 Answers1

2

Although you have resolved the issue, I would like to clarify more details.

In fact it's not the permissions "user.read" and "profile" require V1 accessToken. The actual reason is that:

Access Tokens versions are determined by the configuration of your application/API in the manifest. You have to change the accessTokenAcceptedVersion part of the manifest to 2 if you want a V2 access token. This is also the reason why you cannot control what version of the access token you will get from your client application when you request an access token.

We can't modify the accessTokenAcceptedVersion from Microsoft Graph side.

So the conclusion is that an access token for MS Graph and those are always V1 access token.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • 1
    any idea why I would have the same problem even if my app registration has accessTokenAcceptedVersion configured to 2 on the manifest ? – TechWatching Apr 07 '22 at 05:34
  • This makes no sense to me. If the manifest can define the version as V2, why is the conclusion that the MS Graph token is always a V1 access token? – Heinzlmaen Jul 12 '22 at 13:18
  • I have accessTokenAcceptedVersion 2 in the manifest. Postman return V2 token but MSAL returns V1 token which results in 401 for Azure Function call. – Andre Apr 21 '23 at 07:59