Not able to run the example using personal Azure account.

[yolossn]

Issue

When I run the 2-Authorization-I>2-call-arm>SPA example and login with my personal Azure account, I get the following error when I click on Tenants tab.

Error:

Error: invalid_scope: 70011 - [2023-02-06 10:14:27Z]: AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope 'https://management.azure.com/user_impersonation openid profile offline_access' does not exist....

This issue is for the sample

    - [ ] 1-1) Sign-in with Azure AD
    - [ ] 1-2) Sign-in with Azure AD B2C
    - [ ] 2-1) Acquire a Token and call Microsoft Graph
    - [ ] 3-1) Protect and call a web API on Azure AD
    - [ ] 3-2) Protect and call a web API on Azure AD B2C
    - [ ] 4-1) Deploy to Azure Storage and App Service
    - [ ] 4-2) Deploy to Azure Static App Service
    - [ ] 5-1) Call a web API using App Roles
    - [ ] 5-2) Call a web API using Security Groups
    - [ ] 6-1) Call Microsoft Graph using on-behalf-of flow
    - [ ] 6-3) Call a web API using Conditional Access Auth Context
    - [ ] 6-4) Sign-in with Hybrid SPA flow
    - [x]  Other

Other: Acquire a Token and call ARM API

This issue is for a

    - [x] bug report -> please search issues before submitting
    - [ ] question
    - [ ] feature request
    - [ ] documentation issue or request

Minimal steps to reproduce

1. Clone this repo.
2. Run the 2-Authorization-I/2-call-arm/SPA example.
3. Go to http://localhost:3000/
4. Login using personal Azure account.
5. Click on Tenants menu

Any log messages given by the failure

Error: invalid_scope: 70011 - [2023-02-06 10:14:27Z]: AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope 'https://management.azure.com/user_impersonation openid profile offline_access' does not exist....

Library version

"@azure/arm-resources-subscriptions": "^2.0.1",
"@azure/msal-browser": "~2.31.0",
"@azure/msal-react": "~1.4.10",
"@azure/storage-blob": "^12.11.0",

Browser and version

Edge

[salman90]

Hi @yolossn, I wasn't able to reproduce your error. Please share your MSAL configuration and MSAL logs. What do you mean by a personal Azure account? is it @live.com, @outlook.com etc.?. If you can provide a fiddler trace, that will be very helpful.

[yolossn]

Hey, I am using my @outlook.com email to login. I use the same MSAL config that is provided in the example. Just changed the clientId and authority to 'https://login.microsoftonline.com/common.

[salman90]

Because you're using a multi-tenant with a Microsoft account (a guest user to the tenant), the tokens may be from the wrong authority. Try overriding the default authority in the token request by using the tenantId where you invited the guest user instead of their home tenant, which is the default, as shown below:

const request = {
        scopes: protectedResources.armTenants.scopes,
        account: account,
        authority: `https://login.microsoftonline.com/{tenantIdWhereUserWasInvited}`,
    };

    const { login, result, error } = useMsalAuthentication(InteractionType.Popup, {
        ...request,
        redirectUri: '/redirect.html',
    });

For more information, check the following dynamic auth request.

[yolossn]

Thanks for the reply, We are building a tool for any Azure user to login using their azure account and manage their K8s clusters, we want the user to access and manage the resources in their tenant. Something similar to this VSCode addon for Azure K8s.

[salman90]

@yolossn No worries; please let me know if you need any additional guidance.

[salman90]

@yolossn closing issue due to inactivity