Azure Active Directory v2.0 Daemons and Server Side Apps Support

azure-active-directory msal
Montané Hamilton picture Montané Hamilton · Apr 10, 2017 · Viewed 8.4k times · Source

Trying to get clarity as to if the current v2.0 endpoint supports the Daemons and server-side apps flow.

This article talks about the flows: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-flows

It states:

This article describes the types of apps that you can build by using Azure AD v2.0, regardless of your preferred language or platform. The information in this article is designed to help you understand high-level scenarios before you start working with the code.

Further it states:

Currently, the types of apps in this section are not supported by the v2.0 endpoint, but they are on the roadmap for future development. For additional limitations and restrictions for the v2.0 endpoint

In the end I'm trying to build an app that connects to the Graph API that on a schedule connects to the API with "credentials" that allow it to access the API on behalf of a user that has allowed it to.

In my test harness I can get a token using:

var pca = new PublicClientApplication(connector.AzureClientId)
          {
             RedirectUri = redirectUrl
          };
var result = await pca.AcquireTokenAsync(new[] {"Directory.Read.All"},
                (Microsoft.Identity.Client.User) null, UiOptions.ForceLogin, string.Empty);

In the same harness I cannot get a token using:

var cca = new ConfidentialClientApplication(
                connector.AzureClientId,
                redirectUrl,
                new ClientCredential(connector.AzureClientSecretKey),
                null) {PlatformParameters = new PlatformParameters()};

var result = await cca.AcquireTokenForClient(new[] { "Directory.Read.All" }, string.Empty);

This will result in:

Exception thrown: 'Microsoft.Identity.Client.MsalServiceException' in mscorlib.dll

Additional information: AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope Directory.Read.All is not valid. Trace ID: dcba6878-5908-44a0-95f3-c51b0b4f1a00 Correlation ID: 1612e41a-a283-4557-b462-09653d7e4c21 Timestamp: 2017-04-10 20:53:05Z

The MSAL package, Microsoft.Identity.Client (1.0.304142221-alpha), has not been updated since April 16, 2016. Is that even the package I should be using?

Answer

Nan Yu picture Nan Yu · Apr 11, 2017

When using client credentials flow with Azure AD V2.0 , the value passed for the scope parameter in this request should be the resource identifier (Application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default.

Please click here for more details . And here is a tutorial for using client credentials flow with Azure AD V2.0 endpoint.

Related questions

Microsoft Graph API token validation failure

I would use Microsoft Graph API in my Angular Web application. First I make connexion using msal library When I try log in with my profil I get this error I have configured my app as the mentionned in the …

Read More
Microsoft graph return "access token is empty"

I post this request: POST https://login.microsoftonline.com:443/{my-tennant-here}/oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded client_id={client id here} &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default &client_secret={client …

Read More
How to specify Resource URI when acquiring access token for Azure AD V2 endpoint?

I have used ADAL.js in a previous project which supported only work accounts and am able to successfully acquire idtokens and then accesstokens to an API (ResourceURI: "https://myresource.com"). Works fine. Now, I am trying to use MSAL.…

Read More