IpsitoDutta
commented
2 years ago Closing issue. See the comments on https://github.com/AzureAD/MSAL.PS/issues/18
Closed IpsitoDutta closed 2 years ago
IpsitoDutta
commented
2 years ago Closing issue. See the comments on https://github.com/AzureAD/MSAL.PS/issues/18
Hello,
I am trying to acquire an MSAL Oauth token from Azure AD, scoped to Yammer API. Since Yammer REST APIs now support the MSAL:
“We’re excited to inform that all Yammer v1 APIs now support the usage of Azure Active Directory (AAD) tokens.”
I was hoping that I will be able to use MSAL.PS to acquire the AAD token and use it in my PowerShell scripts. However, Yammer APIs only support delegated permissions and not application permissions, as is documented in the same article cited above:
“_Choose Delegated permissions and userimpersonation. Application permissions are currently not supported and we’re planning on addressing that limitation.”
This is why, I will need to use interactive authentication when invoking MSAL.PS. This is why I run the following script:
$TenantId='Tenant ID' $ClientId='Client ID' $Scopes=@('https://api.yammer.com/.default') $token=Get-MsalToken -TenantId $TenantId -ClientId $ClientId -Scopes $Scopes -Interactive -Loginhint 'UserName'
When I run the above mentioned script, I do get the prompt to login and after that, I get the following error:
Following the URL; https://aka.ms/msal-net-invalid-client, I did make my application public:
But despite making the change, I continue to get the same error. It is important to add that scoping the script to Yammer API isn’t the problem here, because, if I scope it to Microsoft Graph API, with the script below, I get the same error:
Get-MsalToken -ClientId $clientid -TenantId $tenantid -Interactive -Scope 'https://graph.microsoft.com/User.Read' -LoginHint 'user@tenant.onmicrosoft.com'
I should mention that my application supports delegated permission for Yammer and Microsoft Graph:
Just to add, I am able to acquire an AAD Token and call the Yammer REST API successfully, if I bypass MSAL.PS completely, using the script below. However, it isn’t as secure as MSAL.PS/NET and doesn’t allow me the advantage of caching the token and refreshing it when expired:
$username=Read-Host "Enter the UserName" $password=Read-Host "Enter the password" $ClientID="Client ID" $loginURL="https://login.microsoftonline.com" $tenantdomain="Tenant Name.onmicrosoft.com" $scope="https://api.yammer.com/.default" $body = @{grant_type="password";scope=$scope;client_id=$ClientID;username=$username;password=$password} $oauth = Invoke-RestMethod -Method Post -Uri $("$loginURL/$tenantdomain/oauth2/v2.0/token") -Body $body $password=$null $Bearertoken=$oauth.access_token $headers = @{Authorization="Bearer $Bearertoken"} $response=Invoke-RestMethod -Method Get -Uri "https://www.yammer.com/api/v1/users/current.json” -Headers $headers $response |FT Type, ID, Network_Id, Full_Name, Job_Title, Email
Hence, my ask is, is there a bug when invoking interactive authentication for MSAL.PS?
P.S(pun intended): I did see closed issues for similar problems, which may not have been as elaborate as it could have. So, I wanted to share as much detail as possible. If there’s any additional data needed, please let me know. Thanks in advance.