Msal-Angular v1 - acquireTokenPopup/LoginPopup returns an Access Token with Insufficient Privileges even after granting admin consent
We are receiving an invalid accessToken with empty scopes on the first grant of admin consent. If the user retries again - we call the acquireTokenPopup and the accessToken becomes valid.
Reproduction Steps
Step 1: Admin clicks the log in button (loginPopup)
Step 2: MS prompts login and admin consent page (We need User.Read.All)
Step 3: We call acquireTokenSilent() to acquire for Access Token as the AuthenticationProvider of our Graph Client
Step 4: Graph API /users request returns 403 - insufficient permission
Core Library: @azure/msal or msal
Core Library Version: 1.4.8
Wrapper Library: @azure/msal-angular
Wrapper Library Version: 1.1.2
Angular: 7
I've created a GitHub Issue ticket here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3524
When you add permissions to the application, you must grant the tenant-wide administrator consent for the application. However, there will be a short delay whether it is granting the administrator consent in the Azure portal or using the administrator consent URL.
If you request an access token immediately after obtaining the administrator’s consent, it may cause the token to lack permissions. In this case, you only need to refresh, and then try to obtain the token again.
In addition, you must ensure that the token is obtained after the administrator consent, otherwise the original token will still not contain the new permissions.
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions
- Unattended authentication using Azure Active Directory- UserCredential not accepting username and password
- The type or namespace name 'Storage' does not exist in the namespace 'Microsoft.WindowsAzure'
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Why does my Azure App service have a very slow reponse from an endpoint?
- Creating multiple function apps with one Flex Consumption plan
- ASP.NET Core Authorization with Microsoft Entra ID
- How to get client IP address in Azure Functions C#?
- What is the difference between Azure VNET integration and VNET injection?
- unable to StartCopyFromUriAsync a blob between 2 storage accounts
- MSgraph cannot find string in attachment value using Azure Automation
- Visual Studio 2022 caches old tenant id, can't get rid of it
- Msgraph-sdk-python get sharepoint site id from name
- using multiple storage accounts locally using azurite at the same time
- Adding Graph API application permission via Terraform shows corrupted IDs instead of scope names
- Azure DevOps Wiki page usage analytics
- How to fix worker runtime metadata for Azure .net8 isolated worker model functions?
- Download attachment content using Microsoft Graph API using Java
- Is it possible to assign a Power BI Pro License to an Azure Service Principal? Deploy .bim in PBI Service without Premium Workspace