microsoftgraph · peombwa · Jul 12, 2021 · Jun 29, 2021 · Jul 8, 2021 · Jul 12, 2021
@@ -49,7 +49,7 @@ public static async Task<IAuthContext> AuthenticateAsync(IAuthContext authContex
                         {
                             authContext.AuthProviderType = AuthProviderType.DeviceCodeProviderFallBack;
                             fallBackWarning?.Invoke();
-                            var fallBackAuthContext= await AuthenticateAsync(authContext, forceRefresh, cancellationToken, fallBackWarning);
+                            var fallBackAuthContext = await AuthenticateAsync(authContext, forceRefresh, cancellationToken, fallBackWarning);
                             return fallBackAuthContext;
                         }
                         break;
@@ -111,12 +111,23 @@ public static async Task<IAuthContext> AuthenticateAsync(IAuthContext authContex
                     }
                     return fallBackAuthContext;
                 }
-                // DeviceCode Authentication Failure: Timeout
+
                 if (authEx.InnerException is TaskCanceledException && cancellationToken.IsCancellationRequested)
                 {
-                    // DeviceCodeTimeout
+                    // Authentication requets timeout.
                     throw new Exception(string.Format(CultureInfo.CurrentCulture, ErrorConstants.Message.DeviceCodeTimeout, Constants.MaxDeviceCodeTimeOut));
                 }
+                else if (authEx.InnerException is MsalServiceException msalServiceEx
+                      && msalServiceEx.StatusCode == 400
+                      && msalServiceEx.ErrorCode == "invalid_scope"
+                      && string.IsNullOrWhiteSpace(authContext.TenantId)
+                      && (authContext.AuthProviderType == AuthProviderType.DeviceCodeProvider
+                      || authContext.AuthProviderType == AuthProviderType.DeviceCodeProviderFallBack))
+                {
+                    // MSAL scope validation error. Ask customer to specify sign-in audience or tenant Id.
+                    throw new MsalClientException(msalServiceEx.ErrorCode, $"{msalServiceEx.Message}.\r\n{ErrorConstants.Message.InvalidScope}", msalServiceEx);
+                }
+
                 //Something Unknown Went Wrong
                 throw authEx.InnerException ?? authEx;
             }

@@ -22,6 +22,7 @@ public static class Message
         {
             public const string MissingAuthContext = "Authentication needed, call Connect-MgGraph.";
             internal const string InvalidJWT = "Invalid JWT access token.";
+            internal const string InvalidScope = "Please retry by specifying a sign-in -Audience or -TenantId to Connect-MgGraph. e.g., Connect-MgGraph -Audience 'organizations' -Scopes 'YOUR_SCOPES' -UseDeviceAuthentication.";
             internal const string NullOrEmptyParameter = "Parameter '{0}' cannot be null or empty.";
             internal const string MacKeyChainFailed = "{0} failed with result code {1}.";
             internal const string DeviceCodeTimeout = "Device code terminal timed-out after {0} seconds. Please try again.";

@@ -69,7 +69,9 @@ public class ConnectMgGraph : PSCmdlet, IModuleAssemblyInitializer, IModuleAssem
         [Parameter(ParameterSetName = Constants.AppParameterSet)]
         [Parameter(ParameterSetName = Constants.UserParameterSet,
             Position = 4,
-            HelpMessage = "The id of the tenant to connect to.")]
+            HelpMessage = "The id of the tenant to connect to. You can also use this parameter to specify your sign-in audience. i.e., common, organizations, or consumers. " +
+            "See https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration#authority.")]
+        [Alias("Audience")]
         public string TenantId { get; set; }
 
         [Parameter(ParameterSetName = Constants.AppParameterSet)]