How to get v2 token

Question

How to get v2 token

Maria Dąbrowiecka 105

Hi team,

I'm trying to get the token based on the 'az login' I did manually in cmd before running the script:

class TokenProvider:
    def __init__(self):
        self.credential = AzureCliCredential()
        self.cached_token = None
        self.token_expires_at = 0

    def fetch_token(self, scope: str) -> AccessToken:
        current_time = time.time()
        if self.cached_token is None or current_time >= self.token_expires_at:
            token = self.credential.get_token(scope)
            self.cached_token = token.token
            self.token_expires_at = current_time + token.expires_on - 60
        return AccessToken(self.cached_token, self.token_expires_at)


self.token_provider = TokenProvider()
token = self.token_provider.fetch_token("https://management.azure.com/.default")
print(token.token)

but it looks like the token is V1 token. Is that correct? How can I obtain V2 token?

This is my az cli version:

az --version
azure-cli                         2.69.0

Akhilesh Vallamkonda 15,355 Reputation points Moderator

2025-05-28T16:04:29.8133333+00:00

Hi @Maria Dąbrowiecka
To get access token V 2.0 you need to create a resource app and set accessTokenAcceptedVersion in the App Manifest, in your Entra ID App Registration, go to the Manifest and ensure this line is present accessTokenAcceptedVersion: 2 which as shown in the below. post which you need to expose the API with the API permission

You need specify your resource app (Web API) as audience in the scope parameter while requesting token (For an example: scope=https://contosoApp.com/tasks.read ) as shown above, but if you use Microsoft web-hosted resources in the scope parameter such as Microsoft Graph: https://graph.microsoft.com / Microsoft SharePoint: https://microsoft.sharepoint-df.com etc.., then V2.0 version token doesn't support yet.

Hope this helps. If you still do not see enough information to isolate the issue, please let me know in the comment section.
Maria Dąbrowiecka 105 Reputation points

2025-05-29T08:43:54.09+00:00

Thanks a lot for your answer.
I forgot to add that I'd like to get the token for the individual user, not for the application. How can I get v2 token for the user but without interactive login (assumption is that user did az login)?
Anonymous

2025-05-30T00:45:28.22+00:00

Hi @Maria Dąbrowiecka

As per your query, if you would like to go with on behalf of a user you can follow this document for a better understanding: Get access on behalf of a user. This document will help you in understanding how on behalf of user authentication works for you with Oauth code flow. In this scenario application gets the token on behalf of user using authorization code. Since you would like to use Az login to retrieve the token, you have four authentication options as mentioned in this document: Sign into Azure with Azure CLI. Sign into Azure with Azure CLI If you would like to retrieve the token for user you need to interactive sign in from Az login. If you would like to retrieve a token in non-interactive or on behalf of you can use managed identity or service principal which is the best way to retrieve token when you are using script. Here are the documents for Sign in with a managed identity and Sign in using a service principal.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Maria Dąbrowiecka 105 Reputation points

2025-05-30T14:56:22.6866667+00:00

Hi Kancharla,

Thank you for providing me the docs. I read them all, however, they don't go into details about types of token the methods are providing (v1/v2).

My use case:
I'm a user and I did az login on my local computer (it was interactive login through the browser). Now that I'm logged in I would like to get token for my user. I did it using python code I pasted in my question. The result I got is the token of v1 type. The python code is using azure-identity lib which underneath calls az account get-access-token command.
I would like to understand if there's any way to get token of v2 for my user? If not, then why is v1 returned? You can provide az cli command to get v2 token (doesn't have to be python).

thanks a lot for helping me out,

Maria
Anonymous

2025-05-30T17:05:49.6633333+00:00

Hi @Maria Dąbrowiecka

Thanks for your response,

I have explained how you get an access token using Az login for a user. In order to get V2 token for your user, you need to use V2 endpoints of Entra. Here are the sample endpoints:

Authorization endpoint: https://login.microsoftonline.com/9329c02a-4050-4798-************/oauth2/v2.0/authorize

Access token endpoint: https://login.microsoftonline.com/9329c02a-4050-4798-*********/oauth2/v2.0/token

You can use above access token endpoint to retrieve V2.0 token for your user. In place 9329c, you need to replace it with your tenant ID.

I hope this information is helpful. Please feel free to reach out if you have any further questions. If this does not help you, kindly check your private message and respond accordingly.

Answer accepted by question author

1 additional answer

Your answer

Akhilesh Vallamkonda 15,355 Reputation points Moderator

2025-05-28T16:04:29.8133333+00:00

Hi @Maria Dąbrowiecka
To get access token V 2.0 you need to create a resource app and set accessTokenAcceptedVersion in the App Manifest, in your Entra ID App Registration, go to the Manifest and ensure this line is present accessTokenAcceptedVersion: 2 which as shown in the below. post which you need to expose the API with the API permission

You need specify your resource app (Web API) as audience in the scope parameter while requesting token (For an example: scope=https://contosoApp.com/tasks.read ) as shown above, but if you use Microsoft web-hosted resources in the scope parameter such as Microsoft Graph: https://graph.microsoft.com / Microsoft SharePoint: https://microsoft.sharepoint-df.com etc.., then V2.0 version token doesn't support yet.

Hope this helps. If you still do not see enough information to isolate the issue, please let me know in the comment section.
Maria Dąbrowiecka 105 Reputation points

2025-05-29T08:43:54.09+00:00

Thanks a lot for your answer.
I forgot to add that I'd like to get the token for the individual user, not for the application. How can I get v2 token for the user but without interactive login (assumption is that user did az login)?
Anonymous

2025-05-30T00:45:28.22+00:00

Hi @Maria Dąbrowiecka

As per your query, if you would like to go with on behalf of a user you can follow this document for a better understanding: Get access on behalf of a user. This document will help you in understanding how on behalf of user authentication works for you with Oauth code flow. In this scenario application gets the token on behalf of user using authorization code. Since you would like to use Az login to retrieve the token, you have four authentication options as mentioned in this document: Sign into Azure with Azure CLI. Sign into Azure with Azure CLI If you would like to retrieve the token for user you need to interactive sign in from Az login. If you would like to retrieve a token in non-interactive or on behalf of you can use managed identity or service principal which is the best way to retrieve token when you are using script. Here are the documents for Sign in with a managed identity and Sign in using a service principal.

I hope this information is helpful. Please feel free to reach out if you have any further questions.
Maria Dąbrowiecka 105 Reputation points

2025-05-30T14:56:22.6866667+00:00

Hi Kancharla,

Thank you for providing me the docs. I read them all, however, they don't go into details about types of token the methods are providing (v1/v2).

My use case:
I'm a user and I did az login on my local computer (it was interactive login through the browser). Now that I'm logged in I would like to get token for my user. I did it using python code I pasted in my question. The result I got is the token of v1 type. The python code is using azure-identity lib which underneath calls az account get-access-token command.
I would like to understand if there's any way to get token of v2 for my user? If not, then why is v1 returned? You can provide az cli command to get v2 token (doesn't have to be python).

thanks a lot for helping me out,

Maria
Anonymous

2025-05-30T17:05:49.6633333+00:00

Hi @Maria Dąbrowiecka

Thanks for your response,

I have explained how you get an access token using Az login for a user. In order to get V2 token for your user, you need to use V2 endpoints of Entra. Here are the sample endpoints:

Authorization endpoint: https://login.microsoftonline.com/9329c02a-4050-4798-************/oauth2/v2.0/authorize

Access token endpoint: https://login.microsoftonline.com/9329c02a-4050-4798-*********/oauth2/v2.0/token

You can use above access token endpoint to retrieve V2.0 token for your user. In place 9329c, you need to replace it with your tenant ID.

I hope this information is helpful. Please feel free to reach out if you have any further questions. If this does not help you, kindly check your private message and respond accordingly.

Answer 1

Hello Maria Dąbrowiecka, Sorry for the delayed response.

I did az login and generated access token using python code for custom API without interaction again:


import subprocess

import json

import time

from azure.core.credentials import AccessToken

class TokenProvider:

    def __init__(self):

        self.cached_token = None

        self.token_expires_at = 0

    def fetch_token(self, scope: str) -> AccessToken:

        current_time = time.time()

        if self.cached_token is None or current_time >= self.token_expires_at:

            cmd = [

                "az.cmd", "account", "get-access-token",

                "--scope", scope,

                "--output", "json"

            ]

            result = subprocess.run(cmd, stdout=subprocess.PIPE, check=True)

            token_data = json.loads(result.stdout)

            self.cached_token = token_data["accessToken"]

            self.token_expires_at = current_time + 3600  

        return AccessToken(self.cached_token, self.token_expires_at)

provider = TokenProvider()

token = provider.fetch_token("api://xxx/.default")

print(token.token)

User's image

And what I observed is when we generate access token for any API via CLI then the Azure CLI (az login) always retrieves v1.0 tokens and we cannot change manifest of CLI app as its global app. Hence setting "requestedAccessTokenVersion": 2 in our application doesnt effect the token version.

When I decoded the access token I see the appid ID Azure CLI ID not the Backend Microsoft Entra application ID:

User's image

Hence I can say that it is not possible to obtain v2.0 token via Azure CLI and without user interaction again.

To get v2.0 token re-login is required and the below code will generate v2.0 token for only custom APIs


from azure.identity import InteractiveBrowserCredential

credential = InteractiveBrowserCredential()  

token = credential.get_token("api://xxx/.default")  

print(token.token)

Hope this helps!

If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

User's image

If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Maria Dąbrowiecka 105 Reputation points

2025-06-17T13:44:34.3133333+00:00

Hello Rukmini,
Thanks for testing this scenario, now it's all clear for me. Thank you for digging into my problem.

BR,

Maria

Answer 2

Anonymous

Hi @Maria Dąbrowiecka

Thank you for the information,

Based on the info, we have found that you are not providing any endpoint while fetching the token for the user and providing "https://management.azure.com/.default" as scope. If you would like to retrieve v2.0 token, your resource must accept v2.0 token. Only then you can retrieve the token with v2.0 version. In your scenario, by default you will receive v1.0 token itself as Azure service management is a Microsoft managed application where you cannot set the accepted token version to 2 for the application. By this I would like to confirm you that if you would like to fetch v2.0 token your resource must accept v2.0 token which is not possible with the current scope you are using to fetch the token. Here is the other way around if you would like to give a try on the same: https://stackoverflow.com/questions/60737010/what-scope-for-azure-resource-management-with-the-device-authorization-grant-typ

You can also provide the feedback on the same in our feedback forum using the following link: https://feedback.azure.com/d365community

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Anonymous

2025-06-03T23:56:50.0066667+00:00

Hi @Maria Dąbrowiecka

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Anonymous

2025-06-04T16:30:50.94+00:00

Hi @Maria Dąbrowiecka

Could you please check your private message and respond accordingly.
Anonymous

2025-06-05T17:52:08.24+00:00

Hi @Maria Dąbrowiecka,

I would like to re iterate the reason behind why you are receiving v1.0 token with the current scope:

In your scenario, by default you will receive v1.0 token itself as Azure service management is a Microsoft managed application where you cannot set the accepted token version to 2 for the application. By this I would like to confirm you that if you would like to fetch v2.0 token your resource must accept v2.0 token which is not possible with the current scope you are using to fetch the token.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"
Anonymous

2025-06-09T16:40:06.88+00:00

Hi @Maria Dąbrowiecka

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Anonymous

2025-06-10T22:47:18.3133333+00:00

Hi @Maria Dąbrowiecka

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Anonymous

2025-06-13T08:42:31.3833333+00:00

Hello @Maria Dąbrowiecka, Did you get a chance to see Kancharla Saiteja answer? In case if you have any resolution, please do share that same with the community as it can be helpful to others.

Otherwise, please respond with more details and we will try to help.
Anonymous

2025-06-13T16:53:58.6933333+00:00
Hello @Maria Dąbrowiecka,

The scope https://management.azure.com/.default targets Azure Resource Manager (ARM). This service only supports v1.0 tokens, regardless of the client library used or the endpoint format.

Even though AzureCliCredential internally uses the v2.0 token endpoint (/oauth2/v2.0/token), Microsoft issues a v1.0 access token ("ver": "1.0") for ARM because that’s the only version ARM understands.

And the acceptedAccessTokenVersion setting only applies to tokens issued for your own API that is the scope as api//xxx//.default. When requesting a token for Microsoft Graph/ARM, the token version is determined by Microsoft Graph's/ARM configuration, not your app's settings.

Hence the access token version will be v1.

So, you're calling your own custom API, like below will give you v2 access token:

Go to App Registration -> Expose an API ->Define a scope like api://<app-id>/.default.-> Use that scope when calling get_token()

The token will be "ver": "2.0", and you can control it via requestedAccessTokenVersion.

Hope this clarifies things!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
SrideviM 5,865 Reputation points Volunteer Moderator

2025-06-16T01:27:35.4733333+00:00

Hello @Maria Dąbrowiecka,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back

Share via

How to get v2 token

1 additional answer

Your answer