0

I have an Azure app registered . I am trying to authenticate to that app . I am able to do that and successfully get the accesstoken and idtoken. However, when I use that token and try to make a request to list subscriptions API (https://management.azure.com/subscriptions?api-version=2020-01-01) , the request fails and give response "AuthenticationFailed". I have also tried changing the scope to https://management.azure.com/.default but the same error is there. Below is the nodejs code and I am also attaching the API permissions of app

enter image description here

const config = {
  auth: {
    clientId: 'xxx',
    authority: 'https://login.microsoftonline.com/organizations',
    clientSecret: 'yyy',
  },
  system: {
    loggerOptions: {
      loggerCallback(loglevel, message, containsPii) {
        console.log(message);
      },
      piiLoggingEnabled: false,
      logLevel: msal.LogLevel.Verbose,
    },
  },
};

// Create msal application object
const pca = new msal.ConfidentialClientApplication(config);

// Create Express App and Routes
const app = express();

app.get('/', (req, res) => {
  const authCodeUrlParameters = {
    scopes: ['user.read','https://management.azure.com/user_impersonation'],
    redirectUri: REDIRECT_URI,
  };

  // get url to sign user in and consent to scopes needed for application
  pca
    .getAuthCodeUrl(authCodeUrlParameters)
    .then((response) => {
      res.redirect(response);
    })
    .catch((error) => console.log(JSON.stringify(error)));
});

The response I am getting is

{
    "error": {
        "code": "AuthenticationFailed",
        "message": "Authentication failed."
    }
}
kavyaS
  • 8,026
  • 1
  • 7
  • 19
vishalsaugat
  • 193
  • 6

1 Answers1

0

The error "AuthenticationFailed" usually occurs if you are using different scope token to call the API.

I tried to generate access token with the same scope as you via Postman and got the same error while calling the query like below:

enter image description here

Please note that,

  • user.read audience is Microsoft Graph API
  • https://management.azure.com/user_impersonation audience is Azure Service Management.

As you have given two different scopes with different audiences, it will consider the first scope (user.read) to generate the token as mentioned in this SO Thread which was solved by me.

When you call the query https://management.azure.com/subscriptions?api-version=2020-01-01 with the above token, you will get the error as it is intended for MS Graph audience.

I tried to generate the token with scope https://management.azure.com/user_impersonation only, removing user.read like below:

enter image description here

With the above generated token, I am able to call the API successfully like below:

enter image description here

If you want token with different scopes, then you have to generate two access tokens separately.

Sridevi
  • 10,599
  • 1
  • 4
  • 17