When are the scopes, as given in "Microsoft Account Authentication Settings" being used?

[nils-a]

I was redirected here by @MicahMcKittrick-MSFT, commig from https://social.msdn.microsoft.com/Forums/en-US/4430250b-dfe8-4eba-aa15-ef55f43e608e/when-are-the-scopes-as-given-in-microsoft-account-authentication-settings-being-used?forum=AzureFunctions

Originally I raised my question at https://github.com/MicrosoftDocs/azure-docs/issues/11744

To repeat the question:

Regarding an azure function, when securing the function using "Authentication / Authorization", after selecting the Authentication Provider "Microsoft Account" there is a page which contains a ClientId, ClientSecret and some Scopes.

The question is: When are the given scopes being used? Are they somehow enforced, when accessing the function? Or are they only used when the "Action to take when request is not authenticated"-Setting is set to "Log in with Microsoft Account"?

[nils-a]

Hi, It's been two Months.. Not even a comment? :-(

[mimckitt]

@ggailey777, @mike-urnun-msft do either of you have any function contacts that could assist on this?

[mikeurnun]

Hello @nils-a My apologies that I didn't see your last comment on #11744, and that you've had to raise your question across multiple channels. After reviewing your feedback, here's what i'd like to propose that we do:

1. On Documentation side: re-open #11744 so that @ggailey777 and i can review your feedback as to adding necessary info to this documentation that discusses the topic of scopes separately. PS: You're welcome to submit your own PR and drive improvements towards MS Docs too! @ggailey777 let us know if any thoughts here.
2. Keep this particular issue open to address any specific issue you may be facing with your existing project if any. Scopes, Client ID/Secrets etc.. are all parts of OAuth2.0 protocol and Microsoft is simply one of the authentication providers and implements this protocol according to its spec and scopes are defined in its own proprietary way. In example, if you decided to use Facebook/Google or a different authentication provider, the set of scopes are going to be different as well and more relevant to the kind of user data that Facebook or that different authentication providers store and define for scopes. If you're new to OAuth2.0 flow, i recommend watching this video: https://www.youtube.com/watch?v=996OiexHze0 I find it very concise and easy to follow.

[ColbyTresness]

Closing due to tracking elsewhere for 1 and lack of customer response on 2. Please reopen if necessary.

[nils-a]

@ColbyTresness - I'm a bit disappointed.. Should I have said "yes"? Did I have a choice? And in regard to your first point: where is this being tracked, if not here?

[ColbyTresness]

1. the issue referenced above on the MS docs repo
2. Sorry just cleaning up stale issues. Happy to reopen

[ColbyTresness]

@mattchenderson to investigate