1

I created a new app service and set accessTokenAcceptedVersion to 2 in manifest.json as I am looking for a v2 token similar to here. However the accessToken generated by Microsoft always has an iss value of sts.windows.net when decoded. I would like it to be login.microsoftonline.com. Please advice.

This is my implementation:

enter image description here

This is my token when decoded:

enter image description here

Please advice.

arunmmanoharan
  • 2,535
  • 2
  • 29
  • 60

1 Answers1

2

Please see this part (just in the link you shared):

Resources always own their tokens (those with their aud claim) and are the only applications that can change their token details. This is why changing the access token optional claims for your client does not change the access token received when a token is requested for user.read, which is owned by the Microsoft Graph resource.

It means that the accessTokenAcceptedVersion setting should be configured in the service-side app registration rather than client-side app registration.

For an Microsoft Graph token, we are unable to configure it in the service side because the Microsoft Graph app registration is officially managed by Microsoft.

Configuring accessTokenAcceptedVersion in your client-side won't change the token version to 2. It is expected.

This feature is mainly used when you call you own AAD protected web API, rather than Microsoft official API.

UPDATE:

If you want to call you own API, you should create the service-side app registration by Protected web API: App registration and set accessTokenAcceptedVersion in it.

Here is the complete document for Scenario: A web app that calls web APIs.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Does this mean I need to create two appservices? One for UI and one for ApI? – arunmmanoharan Jun 08 '21 at 02:33
  • @a2441918 You access token is to call Microsoft Graph. In this case you don't need to create an app registration for API because the API is Microsoft Graph. – Allen Wu Jun 08 '21 at 02:35
  • @a2441918 In other words, we can't set Microsoft Graph access token version to 2. – Allen Wu Jun 08 '21 at 02:36
  • But I dont want to call Microsoft Graph? Is it by default? All I need to do is send the token as Bearer Auth to my Api and validate the token on the api and compare the OID against my database. – arunmmanoharan Jun 08 '21 at 02:36
  • @a2441918 OK got it. I said your access token is for Microsoft Graph because the `aud` is "00000003-0000-0000-c000-000000000000", which means this token is for Microsoft Graph. If you want to call you own API, you should create the service-side app registration by following https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration and set `accessTokenAcceptedVersion` in it. – Allen Wu Jun 08 '21 at 02:39
  • Thanks man. So two app registrations, one for UI and one for API? Or I just do it for the Api? – arunmmanoharan Jun 08 '21 at 02:41
  • 1
    @a2441918 Yes. Two app registrations. Set `accessTokenAcceptedVersion` in service-side app registration (API). – Allen Wu Jun 08 '21 at 02:43