Azure ad token endpoint don't respect tenants applications. Other adb2c tenants application client id and secret works also.

[kimmokosunen]

Azure documentation issue guidance

When using this endpoint with Azure ADB2C client id's and secrets to request client credentials token, our other ADB2C tenants client ids and secrets works also. So we can have tokens specific for other tenant with other tenants application id's and secrets.. My expectation was that only client ids and secrets configured to that specific tenant are accepted.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded

Related documentation https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: d32f55ac-acbc-292b-d1b7-ffdd257b11e1
• Version Independent ID: ae2a266c-051b-7307-93fd-74bc521c93bf
• Content: OAuth 2.0 client credentials flow on the Microsoft identity platform - Microsoft Entra
• Content Source: articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @OwenRichards1
• Microsoft Alias: owenrichards

Thanks for opening an issue in the Azure technical documentation repository.

We use GitHub issues as the primary channel for customer and community feedback about the Azure documentation.

Creating an issue

We prefer that you create documentation feedback issues using the Feedback link on the published article - the feedback control on the doc page creates an issue that contains all the article details so you can focus on the feedback part.

You can also create a feedback issue here in the repo. If you do this, please make sure your issue lists:

• [ ] The relevant Azure service or technology.
• [ ] A link to the published documentation article that you have feedback about.
• [ ] Clear, specific feedback that the author can act on.

Pull requests and article contributions

If you know the change that is needed in an article, we encourage you to submit the changes directly using a pull request. If the change is large, or if you want to contribute an entire article, follow these guidelines:

• [ ] Don't surprise us with a big pull request or a pull request with a new article! Submit an issue that describes the details of the proposed large change or new article.
• [ ] Include the service or technology area.

We'll route the issue to the appropriate content team for review and discussion.

Tech support and product feedback

If you would like to contact Microsoft about other things, such as product feedback or tech support, please review these guidelines:

• If you need technical support using Azure, the paid and free support options are described here: https://azure.microsoft.com/support/options/.

• Each article in the Azure technical documentation contains a product feedback button - it's best to submit product feedback directly from a relevant article. Otherwise, you can submit product feedback for most Azure products in the following product feedback forum: https://feedback.azure.com/d365community/forum/79b1327d-d925-ec11-b6e6-000d3a4f06a4.

[AjayBathini-MSFT]

@kimmokosunen Thanks for your feedback! We will investigate and update as appropriate.

[AjayBathini-MSFT]

Hi @kimmokosunen When using the Azure AD B2C client credentials flow to request access tokens for an application, it is expected that only the client ID and secret configured for that specific tenant will be accepted. This means that tokens obtained using a client ID and secret from one tenant should not be valid for use with applications registered in a different tenant.

However, it is possible that the same client ID and secret may have been accidentally or intentionally registered in multiple Azure AD B2C tenants. If this is the case, then it is possible that the client credentials flow will work with all of those tenants. It is important to ensure that each client ID and secret pair is only registered in the appropriate Azure AD B2C tenant and not shared across multiple tenants. This will help ensure that access to resources is properly secured and that there is no unauthorized access to data. It is also important to note that the client credentials flow is typically used for server-to-server authentication scenarios, where the application itself is the resource being protected. It is not intended for use in scenarios where end-users need to authenticate and authorize access to resources. For those scenarios, you should consider using other OAuth 2.0 or OpenID Connect flows, such as the authorization code flow or the implicit flow.

if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.

[kimmokosunen]

Hi AjayBathini-MSFT

We are not sharing secrets or clients ids between environments, but this now seems to relate this setting within applications.

https://learn.microsoft.com/en-us/azure/active-directory/develop/supported-accounts-validation

"signInAudience": "AzureADandPersonalMicrosoftAccount"

I changed this for one application to "AzureADandPersonalMicrosoftAccount" due new Azure ADB2C client credentials endpoint don't work with "AzureADMyOrg", see this post.

https://stackoverflow.com/questions/73408144/azure-b2c-client-credentials-flow-throws-invalid-grant-aadb2c90085

I can't anymore reproduce this problem so maybe it has been fixed and new Azure ADB2C client credentials also work with signInAudience setting "AzureADMyOrg"

But, if I change both application and application offering API(scope) to "signInAudience": "AzureADandPersonalMicrosoftAccount", then I am able to use those credentials from other tenant token endpoints also and receive token. Not sure if that is valid configuration and/or correct behavior, but for me this seems really odd as I can get tokens for other tenants with my application credentials.

But as it seems that problem above is fixed, I can use setting "AzureADMyOrg" in both applications and still use new ADB2C client credentials, so there should not be risk that credentials are usable from other token endpoints.

ma 20. maalisk. 2023 klo 8.53 AjayBathini-MSFT @.***) kirjoitti:

Hi @kimmokosunen https://github.com/kimmokosunen When using the Azure AD B2C client credentials flow to request access tokens for an application, it is expected that only the client ID and secret configured for that specific tenant will be accepted. This means that tokens obtained using a client ID and secret from one tenant should not be valid for use with applications registered in a different tenant.

However, it is possible that the same client ID and secret may have been accidentally or intentionally registered in multiple Azure AD B2C tenants. If this is the case, then it is possible that the client credentials flow will work with all of those tenants. It is important to ensure that each client ID and secret pair is only registered in the appropriate Azure AD B2C tenant and not shared across multiple tenants. This will help ensure that access to resources is properly secured and that there is no unauthorized access to data. It is also important to note that the client credentials flow is typically used for server-to-server authentication scenarios, where the application itself is the resource being protected. It is not intended for use in scenarios where end-users need to authenticate and authorize access to resources. For those scenarios, you should consider using other OAuth 2.0 or OpenID Connect flows, such as the authorization code flow or the implicit flow.

if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.

— Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/106840#issuecomment-1475710153, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABXDYXWXHZR3DUIZC3QS3JTW475IPANCNFSM6AAAAAAV7MUDKE . You are receiving this because you were mentioned.Message ID: @.***>

[AjayBathini-MSFT]

Hi @kimmokosunen

Thank you for your feedback! For your query clarification you can follow-up with below teams. They can assist you end-to-end.

I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds. [Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1) Thank you for your time and patience throughout this issue.