MSAL.js acquireTokenSilent API fails with error AADSTS70011 when logging in from a microsoft personal account

Question

I have registered an application with "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)" and trying to login with a personal account using msal.js. The code is as following

this.$msalInstance
        .loginPopup({scopes: ['user.read']})
        .then(() => {
          const myAccounts = this.$msalInstance.getAllAccounts();
          this.account = myAccounts[0];
          const accessTokenRequest = {
            scopes: [`${this.msalConfig.auth.clientId}/.default`],
            account: this.account
          };
          this.$msalInstance
            .acquireTokenSilent(accessTokenRequest)
            .then(function(accessTokenResponse) {
              // Acquire token silent success
              let accessToken = accessTokenResponse.accessToken;
              }

The configuration is defined as below

msalConfig: {
  auth: {
    clientId: "1236664d-751d-4a0a-9a3d-13c332cb7e9b",
    authority: "https://login.microsoftonline.com/common",
    redirectUri: "http://localhost:8080/app/login", 
    postLogoutRedirectUri: "/" 
  },
  cache: {
    cacheLocation: "localStorage"
  }

The "loginPopup" call succeeds, but the "acquireTokenSilent" fails with the below error

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope '1236664d-751d-4a0a-9a3d-13c332cb7e9b/.default openid profile offline_access' is not valid - it refers to a resource which is not listed in the client's Required Resource Access and for which the user does not have any existing consent.

The error occurs only for personal account. It works with user from same or different organizations active directory.

Can someone give an idea on this error?

Answer 1

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope 'xxx/.default openid profile offline_access' is not valid - it refers to a resource which is not listed in the client's Required Resource Access and for which the user does not have any existing consent.

The error usually occurs if the scope is not properly configured in the Application and is passing the invalid scope to authorize.

• Make sure that the resources/scopes you are trying to pass is added in the Client application.

I got the same error when I tried to authorize users like below:

For sample, I used the below endpoint:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://xxxx/.default openid profile offline_access
&state=12345

To resolve the error, make sure to add the scope in the Application like below:

In the ServerrukApp, I exposed the API and added scope:

Make sure to add the ServerrukApp custom scope in the ClientrukApp API permission blade like below:

When I tried to sign-in with Microsoft Personal Account, it is successful:

If still issue persists, check the below:

Make sure the ClientrukApp API permission blade looks like this:

Otherwise, In the ServerrukApp, add the client application as authorized like below:

Make sure you have used common endpoint in all the code config files.