The scope 'api://GUID_of_the_server_app_reg/access_graph_on_behalf_of_user' is not registered to the client side app registration in Azure (msal-react-spa | API permissions).

[jranxb70]

Issue

Please provide us with the following information:

This issue is for the sample

    - [ ] 1-1) Sign-in with Azure AD
    - [ ] 1-2) Sign-in with Azure AD B2C
    - [ ] 2-1) Acquire a Token and call Microsoft Graph
    - [ ] 3-1) Protect and call a web API on Azure AD
    - [ ] 3-2) Protect and call a web API on Azure AD B2C
    - [ ] 4-1) Deploy to Azure Storage and App Service
    - [ ] 4-2) Deploy to Azure Static App Service
    - [ ] 5-1) Call a web API using App Roles
    - [ ] 5-2) Call a web API using Security Groups
    - [ x] 6-1) Call Microsoft Graph using on-behalf-of flow
    - [ ] 6-3) Call a web API using Conditional Access Auth Context
    - [ ] 6-4) Sign-in with Hybrid SPA flow

This issue is for a

    - [ x] bug report -> please search issues before submitting
    - [ ] question
    - [ ] feature request
    - [ ] documentation issue or request

Minimal steps to reproduce

1. Use the Configure.ps1 script from the AppCreationScripts folder:
   e.g. PS C:\Users\jonne\source\repos\ms-identity-javascript-react-tutorial\6-AdvancedScenarios\1-call-api-obo\AppCreationScripts> .\Configure.ps1 -TenantId "your-tenant-id"

2. The script will succeed but with some errors.

3. The client app registration is missing the scope of the server's app registration

4. When the client and the server are started and a user tries to log in, the use sign-in fails. There will be a notification of it in the msal logging messages. The user is not logged in and the application shows a front page that was similar before the failed login attempt.

Any log messages given by the failure

I'm not sure if this is related, but there was one failure after the script was activated:

You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
Connecting to Microsoft Graph
Get-MgUser : Unsupported or invalid query filter clause specified for property 'userPrincipalName' of resource 'User'.
At C:\Users\user\source\repos\ms-identity-javascript-react-tutorial\6-AdvancedScenarios\1-call-api-obo\AppCreationScri
pts\Configure.ps1:251 char:57

• ... ser = Get-MgUser -Filter "UserPrincipalName eq '$($context.Account)'"

•                                                   ~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: ({ ConsistencyLe...ndProperty = }:<>f__AnonymousType628) [Get-MgUser _List1], RestException1
  • FullyQualifiedErrorId : Request_UnsupportedQuery,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List1

And soon after that another one:

Creating the AAD application (msal-node-api)
Done creating the service application (msal-node-api)
Getting access from 'service' to 'Microsoft Graph'
Added 'Microsoft Graph' to the RRA list.
Granted permissions.
Successfully registered and configured that app registration for 'msal-node-api' at
https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/22222222-ffff-1111-ZZZZ-XXXXXXXXXXXX/isMSAApp~/false
Creating the AAD application (msal-react-spa)
Done creating the client application (msal-react-spa)
Getting access from 'client' to 'service'
Added 'service' to the RRA list.
Update-MgApplication : Invalid value specified for property 'resourceAppId' of resource 'RequiredResourceAccess'.
At C:\Users\user\source\repos\ms-identity-javascript-react-tutorial\6-AdvancedScenarios\1-call-api-obo\AppCreationScri
pts\Configure.ps1:434 char:5

• Update-MgApplication -ApplicationId $currentAppObjectId -Required ...
  

• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: ({ ApplicationId...hApplication1 }:<>f__AnonymousType02) [Update-MgAp plication_UpdateExpanded1], RestException1
  • FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgApplication_UpdateExpanded
    1
    Granted permissions.
    Successfully registered and configured that app registration for 'msal-react-spa' at

Expected/desired behavior

The client is able to obtain an access token successfully and sign in to the client

Library version

Browser and version

Chrome, Edge, Firefox, Safari? Irrelevant

Mention any other details that might be useful

Thanks! We'll be in touch soon.

[salman90]

Hi @jranxb70 , this bug was discovered in our configuration scripts last week. When Get-MgApplicationOwner fails, the script doesn't query the user information correctly. I will work on updating the scripts as soon as possible. Thanks for the feedback!