Closed jiasli closed 7 months ago
This is by design @jiasli - the token issuer (AAD) has this behavior to reduce the communication steps with the client.
This is also one of the reasons why we strongly recommend each app (e.g. Azure CLI) to be mapped to a single AAD app registration, and not to have 1 app registration for many apps.
Also, there is really nothing the client-side can do here, based on this OAuth2 quote.
The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions. If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted.
For reference, the behavior of ESTS in regards to scopes and Conditional Access (CA) is:
For example : you request “User.ReadWrite.All” and Entra enforces CA for that scope. But there are other scopes like AuditLog.Read.All that are preauthorized and no CA policies apply for them, so you got that back as well.
This could be the designed behavior of the underlying API. I am only creating this issue for tracking and clarification purpose. Feel free to close it.
Describe the bug All preauthorized permissions are returned regardless of the requested
scopes
To Reproduce Steps to reproduce the behavior:
Create a
PublicClientApplication
with Azure CLI's client ID04b07795-8ddb-461a-bbee-02f9e1bf7b46
.Call
acquire_token_interactive
withscopes
as['https://graph.microsoft.com/User.ReadWrite.All']
. The Azure CLI command ishttps://github.com/Azure/azure-cli/blob/b00483c1a1cd17053af5c483f62b11c829f4c27d/src/azure-cli-core/azure/cli/core/auth/identity.py#L160-L166
See the
scope
property of theresult
be'email openid profile https://graph.microsoft.com/AuditLog.Read.All https://graph.microsoft.com/Directory.AccessAsUser.All https://graph.microsoft.com/Group.ReadWrite.All https://graph.microsoft.com/User.ReadWrite.All'
:Expected behavior Only requested
scopes
are returned, in such casehttps://graph.microsoft.com/User.ReadWrite.All
.What you see instead All preauthorized permissions are returned.
The MSAL Python version you are using 1.26.0
Additional context Add any other context about the problem here.