Share via

Azure App Registration - Generate Token with specific scope

Patrick McInerney 26 Reputation points
2022-11-28T09:36:59.61+00:00

How can I generate an access token with scope "https://cnt-prod.loadtesting.azure.com/.default" via an Azure App Registration using grant_credentials ?
I can add scopes like loadtests.read etc. but I don't understand how to add that kind of scope.

If I change the resource to this I get the following error:

AADSTS500011: The resource principal named https://cnt-prod.loadtesting.azure.com/.default was not found in the tenant named Default Directory. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2022-11-29T21:10:31.273+00:00

    Hi @Patrick McInerney ,

    Thanks for your post and for sharing your update!

    Yes, the scope parameter in the request should be the resource identifier (application ID URI) of the resource you want, affixed with the default suffix. See Access token reference

    If you want to use the application permissions with your own API, you need to expose the API by defining the scopes in the API's app registration. Then you need to configure access to the API by selecting those permissions in the client application's app registration.

    If you set the scope parameter with a custom name such as "https://cnt-prod.loadtesting.azure.com/.default" without configuring the same URL as the application ID URI in Azure AD, then you will see the AADSTS500011 error.

    See related thread and documentation:

    Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue
    Application Permissions

    Thanks again for sharing your update and let me know if you are still facing any issues!

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patrick McInerney 26 Reputation points
    2022-11-29T16:01:10.187+00:00

    In case someone else comes across this in the future you can swap out the resource for scope in the headers of an Azure App Registration bearer token request.

    This was relevant to me when using REST API calls to create Load Tests and Tests inside the Load Tests resource

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.