How to get authorized in Microsoft AD using curl?

I have a django project which uses Azure Active directory for the authentication and I have set up its API using rest_framework. At the moment, I am trying to access this API using curl. I am able to generate an access token, but when I send a request using it, I get the Microsoft Login Page, as if I do not have any access token.

I generated an access token using the following code:

curl -X POST{tenant_id}/oauth2/v2.0/token -H "Content-Type: application/x-www-form-urlencoded" -d "client_id={client_id}" -d "client_secret={client_secret}" -d "grant_type=client_credentials" -d "redirect_uri=https://{my_domain}/oauth2/callback" -d "scope=api://{client_id}/.default openid profile email" 

Then, using the jwt token that I recieved, I did:

curl -X GET -L https://<my_domain>/api/benches/1/status/ -H "Authorization: Bearer <token>"

And what I get, is the Microsoft login page, which its first few lines look like this:

<!-- Copyright (C) Microsoft Corporation. All rights reserved. -->
<!DOCTYPE html>
<html dir="ltr" class="" lang="en">
    <title>Sign in to your account</title>

Also, the result of the -v (verbose) looks like this:

Note: Unnecessary use of -X or --request, GET is already inferred.
* Host <my_domain>:443 was resolved.
* IPv6: (none)
* IPv4: ip
*   Trying ip:443...
* Connected to <my_domain> (ip) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET /api/benches/1/status/ HTTP/1.1
> Host: <my_domain>
> User-Agent: curl/8.7.1
> Accept: */*
> Authorization: Bearer <token>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 302 Found
< Server: nginx/1.14.1
< Date: Wed, 17 Jul 2024 16:08:34 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Location: /oauth2/login?next=/api/benches/1/status/
< X-Frame-Options: DENY
< Vary: Cookie
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
* Request completely sent off
* Connection #0 to host <my_domain> left intact

Also, I am doing this for my organization, is it possible that there is a missing permission that I might need in my Azure application?

Here is my Django for my REST configuration:

from pathlib import Path

import os
from dotenv import load_dotenv

BASE_DIR = Path(__file__).resolve().parent.parent

SECRET_KEY = os.getenv('SECRET_KEY')

DEBUG = True

ALLOWED_HOSTS = ['my_domain']


ROOT_URLCONF = "core.urls"

        "BACKEND": "django.template.backends.django.DjangoTemplates",
        'DIRS': [
            BASE_DIR / 'static/templates',
        "APP_DIRS": True,
        "OPTIONS": {
            "context_processors": [

WSGI_APPLICATION = "core.wsgi.application"

    "default": {
        "ENGINE": "django.db.backends.sqlite3",
        "NAME": BASE_DIR / "db.sqlite3",

        "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",
        "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",
        "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator",
        "NAME": "django.contrib.auth.password_validation.NumericPasswordValidator",

USE_I18N = True

USE_TZ = True

STATIC_URL = '/static/'
MEDIA_URL = '/media/'


STATIC_ROOT = '/root/to/static'

    BASE_DIR / 'static',

DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

LOGIN_URL = 'django_auth_adfs:login'
LOGOUT_URL = 'django_auth_adfs:logout'
LOGIN_REDIRECT_URL = 'https://my_domain/oauth2/callback'

client_id = os.getenv('client_id')
client_secret = os.getenv('client_secret')
tenant_id = os.getenv('tenant_id')

    'AUDIENCE': client_id,
    'CLIENT_ID': client_id,
    'CLIENT_SECRET': client_secret,
    'CLAIM_MAPPING': {'first_name': 'given_name',
                      'last_name': 'family_name',
                      'email': 'upn'
    'GROUPS_CLAIM': 'roles',
    'MIRROR_GROUPS': True,
    'USERNAME_CLAIM': 'email',
    'TENANT_ID': tenant_id,
    'RELYING_PARTY_ID': client_id,
        '^api',  # Assuming you API is available at /api



Here is a screenshot of my permissions blade. I am using Benches.Change.All which is under my application name.

enter image description here


  • Note that: Client credential flow does not support delegated permissions type. If you are making use of client credential flow to generate the token, then you need to grant application type Api permissions to the Microsoft Entra ID application.

    • As you have granted delegated API permissions to the Microsoft Entra ID application, you must generate token by using any user interaction flow not client credential flow.
    • Client credential flow is nonuser interactive.

    You are getting the error as you granted delegated API permissions and making use of client credential flow to generate the token.

    To resolve the error. generate the token using Authorization code flow and then call the API.

    I granted API permissions to the Application:

    enter image description here

    Configure redirect URL as web with' in the application. You can also pass your custom redirect url.

    Now generate the access token by selecting Authorization code flow:

    Grant type: Authorization code 
    Callback URL:
    Auth URL:
    Token URL :
    Client ID : ClientId
    Client Secret : ClientSecret
    Scope: api://ClientID/Benches.Change.All

    enter image description here

    And click on Generate access token and you will be redirected to browser to sign-in:

    enter image description here

    The access token will be generated:

    enter image description here

    Decode the access token in Welcome! and make sure the scp claim have value Benches.Change.All

    enter image description here

    Now use this access token to call the API and it will be successful without any error.