How Azure AD scopes, permissions and tokens work with exposing API?

Question

I am currently working on React Native app that uses Azure as backend and I am having trouble to call API in azure LogicApp that requires custom scope. We have this scope in "AppRegistration/Expose an API". (screenshot-expose an API)

In the mobile app I ask for scopes "openid", "profile", "email", "offline_access". I need to call Microsoft Graph for user information. This is no problem as we added required permissions (User.ReadWrite.All) into AppRegistration/permissions.

• I can call what I need
• I get refresh token which I need

But I cannot call our API due to invalid token (http 401).

So the question is, how to properly setup permissions and scopes in the AppRegistration?

What I have tried:

• adding required scope to mobile application

  • this cause my other scopes to "disappear". So in my decoded token i can see only this scope.
  • Additionaly I don't receive valid refresh token and I cannot call Microsoft Graph with access token I get.

• not adding scope to the mobile app but adding permission to custom API into permissions. (screenshot-permissions)

  • this way I still couldnt call custom API

I really don't understand why the scopes I ask from mobile app are ignored and why permissions from AppRegistration are not working either when I ask for the custom scope from "Expose an API".

Answer 1

As Tiny Wang said, i have to obtain 2 pairs of tokens. One for each API resource.