Why is an Azure permission missing from the scopes of my JWT token?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
azure permissions jwt azure-active-directory microsoft-graph asked Jan 4 at 15:37
J FlexJ Flex
103
|
show 2 more comments
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
azure permissions jwt azure-active-directory microsoft-graph asked Jan 4 at 15:37
J FlexJ Flex
103
Sorry for the images, but I don't have enough Stack Overflow reputation to post them.
– J Flex
Jan 4 at 15:37
You need to acquire the token for thehttps://management.azure.comresource I think. That looks like an MS Graph API token.
– juunas
Jan 4 at 16:02
Or with that full scope name if you are using v2
– juunas
Jan 4 at 16:02
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing?
– J Flex
Jan 7 at 7:34
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API.
– juunas
Jan 7 at 7:39
|
show 2 more comments
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
azure permissions jwt azure-active-directory microsoft-graph asked Jan 4 at 15:37
J FlexJ Flex
103
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
azure permissions jwt azure-active-directory microsoft-graph azure permissions jwt azure-active-directory microsoft-graph asked Jan 4 at 15:37
J FlexJ Flex
103
asked Jan 4 at 15:37
J FlexJ Flex
103
edited Jan 7 at 9:01
J Flex
asked Jan 4 at 15:37
J FlexJ Flex
103
asked Jan 4 at 15:37
J FlexJ Flex
103
asked Jan 4 at 15:37
J FlexJ Flex
103
103
Sorry for the images, but I don't have enough Stack Overflow reputation to post them.
– J Flex
Jan 4 at 15:37
You need to acquire the token for thehttps://management.azure.comresource I think. That looks like an MS Graph API token.
– juunas
Jan 4 at 16:02
Or with that full scope name if you are using v2
– juunas
Jan 4 at 16:02
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing?
– J Flex
Jan 7 at 7:34
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API.
– juunas
Jan 7 at 7:39
|
show 2 more comments
Sorry for the images, but I don't have enough Stack Overflow reputation to post them.
– J Flex
Jan 4 at 15:37
You need to acquire the token for thehttps://management.azure.comresource I think. That looks like an MS Graph API token.
– juunas
Jan 4 at 16:02
Or with that full scope name if you are using v2
– juunas
Jan 4 at 16:02
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing?
– J Flex
Jan 7 at 7:34
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API.
– juunas
Jan 7 at 7:39
Sorry for the images, but I don't have enough Stack Overflow reputation to post them.
– J Flex
Jan 4 at 15:37
Sorry for the images, but I don't have enough Stack Overflow reputation to post them.
– J Flex
Jan 4 at 15:37
You need to acquire the token for the
https://management.azure.com resource I think. That looks like an MS Graph API token.– juunas
Jan 4 at 16:02
You need to acquire the token for the
https://management.azure.com resource I think. That looks like an MS Graph API token.– juunas
Jan 4 at 16:02
Or with that full scope name if you are using v2
– juunas
Jan 4 at 16:02
Or with that full scope name if you are using v2
– juunas
Jan 4 at 16:02
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing?
– J Flex
Jan 7 at 7:34
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing?
– J Flex
Jan 7 at 7:34
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API.
– juunas
Jan 7 at 7:39
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API.
– juunas
Jan 7 at 7:39
|
show 2 more comments
2 Answers
2
active
oldest
votes
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
answered Jan 7 at 9:03
juunasjuunas
24k35182
add a comment |
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
- I log the user in while asking him to consent to some permissions (for both API's and on first login only)
- I request a token in the background for the Graph API scopes
- I request a second token for the Azure Management API scopes
answered Jan 7 at 9:02
J FlexJ Flex
103
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54041973%2fwhy-is-an-azure-permission-missing-from-the-scopes-of-my-jwt-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
answered Jan 7 at 9:03
juunasjuunas
24k35182
add a comment |
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
answered Jan 7 at 9:03
juunasjuunas
24k35182
add a comment |
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
answered Jan 7 at 9:03
juunasjuunas
24k35182
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
answered Jan 7 at 9:03
juunasjuunas
24k35182
answered Jan 7 at 9:03
juunasjuunas
24k35182
answered Jan 7 at 9:03
juunasjuunas
24k35182
answered Jan 7 at 9:03
juunasjuunas
24k35182
24k35182
add a comment |
add a comment |
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
- I log the user in while asking him to consent to some permissions (for both API's and on first login only)
- I request a token in the background for the Graph API scopes
- I request a second token for the Azure Management API scopes
answered Jan 7 at 9:02
J FlexJ Flex
103
add a comment |
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
- I log the user in while asking him to consent to some permissions (for both API's and on first login only)
- I request a token in the background for the Graph API scopes
- I request a second token for the Azure Management API scopes
answered Jan 7 at 9:02
J FlexJ Flex
103
add a comment |
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
- I log the user in while asking him to consent to some permissions (for both API's and on first login only)
- I request a token in the background for the Graph API scopes
- I request a second token for the Azure Management API scopes
answered Jan 7 at 9:02
J FlexJ Flex
103
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
- I log the user in while asking him to consent to some permissions (for both API's and on first login only)
- I request a token in the background for the Graph API scopes
- I request a second token for the Azure Management API scopes
answered Jan 7 at 9:02
J FlexJ Flex
103
edited Jan 7 at 9:17
answered Jan 7 at 9:02
J FlexJ Flex
103
answered Jan 7 at 9:02
J FlexJ Flex
103
answered Jan 7 at 9:02
J FlexJ Flex
103
103
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54041973%2fwhy-is-an-azure-permission-missing-from-the-scopes-of-my-jwt-token%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Sorry for the images, but I don't have enough Stack Overflow reputation to post them.
– J Flex
Jan 4 at 15:37
You need to acquire the token for the
https://management.azure.comresource I think. That looks like an MS Graph API token.– juunas
Jan 4 at 16:02
Or with that full scope name if you are using v2
– juunas
Jan 4 at 16:02
How do you mean? I already have management.azure.com/user_impersonation in my scopes, you can also see it as the first permission on my first screenshot. Is there something I am missing?
– J Flex
Jan 7 at 7:34
Somewhere in your code you acquire the access token. An access token is only valid for one API, and the one you are showing is an access token for MS Graph API. Thus it won't contain the scope for Azure Management API. So when you acquire the token, you need to specify that you want a token for the Azure Management API, and not MS Graph API.
– juunas
Jan 7 at 7:39