Where is the XboxLive scope in Azure AD app?

Question

Where is the XboxLive scope in Azure AD app?

DataPocalypse 10

How we can authenticate XboxLive players with AAD? I'm unable to find the XboxLive scopes.

On a gameserver that have Steam and XBL players, it is a nightmare to have equal features that require Omniauth/Openid authentication.

I just need the XBL_ID and gamertag, nothing more, how I can do that?

Thank you in advance.

(PS: I already searched and read all topics about that without success, nothing work.)

Amir Abdollahi 20 Reputation points

2023-04-24T00:09:53.1266667+00:00

I am also looking for the scope.
Marilee Turscak-MSFT 37,191 Reputation points Microsoft Employee Moderator

2023-04-24T21:21:17.7233333+00:00

Hi @DataPocalypse ,

Thanks for your post and apologies for the delayed response! The Xbox live scope should be XboxLive.SignIn , the optional scope should be XboxLive.offline_access, and the response_type should set to response_type: 'code'. The Xbox live scope is a service scope that is already authorized in every client, but it requires manual authorization from the user if your app does not have an Xbox developer program partnership.

Alternatively, you can use the service::user.auth.xboxlive.com::MBI_SSL scope if you have an Xbox partnership program such as ID@Xbox or Xbox Creators Program. This scope allows you to get authorization from the user and the user doesn't have to authorize your application manually, but you do need to have a developer program. For information about joining these programs, see the Azure game development solutions pages:

https://azure.microsoft.com/en-us/solutions/gaming/

https://www.xbox.com/en-US/publish

If you have either option configured and are still facing issues with the authorization, it's possible that there is something else blocking the authorization, such as an MFA policy/requirement or IP restriction, so I would recommend disabling MFA and seeing if you get different results.

If these suggestions do not work, feel free to send me an email at AzCommunity@microsoft.com ("Attn Marilee Turscak") and include your subscription ID, and I will get a one-time free support case opened to address this issue.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching the same issue.
Sandeep G-MSFT 20,796 Reputation points Microsoft Employee Moderator

2023-05-02T04:17:47.06+00:00

@DataPocalypse

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

DataPocalypse 10

Hi @Sandeep G-MSFT ,

Still doesn't work.

When I add XboxLive.SignIn scope, I got an error message :

{"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter.\r\nTrace ID: 364e1c51-1377-4267-a6bd-772a0d4ebd00\r\nCorrelation ID: df87fcf8-2edf-4a3a-9fd4-adbb26b64280\r\nTimestamp: 2023-05-03 09:18:55Z","error_codes":[70011],"timestamp":"2023-05-03 09:18:55Z","trace_id":"364e1c51-1377-4267-a6bd-772a0d4ebd00","correlation_id":"df87fcf8-2edf-4a3a-9fd4-adbb26b64280"}

I can auth with base scopes openid profile User.Read but XboxLive.SignIn break the request

DataPocalypse 10

And the authorize request has the scope input :

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=HIDDEN&prompt=&redirect_uri=http://localhost:3010/users/auth/azure_activedirectory_v2/callback&scope=openid profile User.Read XboxLive.SignIn&state=HIDDEN

Marilee Turscak-MSFT 37,191 Reputation points Microsoft Employee Moderator

2023-05-03T20:36:02.2933333+00:00

@DataPocalypse ,

Just to clarify, am I correct in assuming that this is for a first party app that you are developing? If you reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, I can open a one-time free support case on your behalf. Note that you need to have a valid subscription on a billable tenant (i.e. at least a Pay-As-You-Go) subscription in order for me to enable this.
Amir Abdollahi 20 Reputation points

2023-08-02T03:17:04.5533333+00:00

Did you ever figure it out @DataPocalypse ? I am also still receiving the invalid_scope response.

2 answers

Your answer

Amir Abdollahi 20 Reputation points

2023-04-24T00:09:53.1266667+00:00

I am also looking for the scope.
Marilee Turscak-MSFT 37,191 Reputation points Microsoft Employee Moderator

2023-04-24T21:21:17.7233333+00:00

Hi @DataPocalypse ,

Thanks for your post and apologies for the delayed response! The Xbox live scope should be XboxLive.SignIn , the optional scope should be XboxLive.offline_access, and the response_type should set to response_type: 'code'. The Xbox live scope is a service scope that is already authorized in every client, but it requires manual authorization from the user if your app does not have an Xbox developer program partnership.

Alternatively, you can use the service::user.auth.xboxlive.com::MBI_SSL scope if you have an Xbox partnership program such as ID@Xbox or Xbox Creators Program. This scope allows you to get authorization from the user and the user doesn't have to authorize your application manually, but you do need to have a developer program. For information about joining these programs, see the Azure game development solutions pages:

https://azure.microsoft.com/en-us/solutions/gaming/

https://www.xbox.com/en-US/publish

If you have either option configured and are still facing issues with the authorization, it's possible that there is something else blocking the authorization, such as an MFA policy/requirement or IP restriction, so I would recommend disabling MFA and seeing if you get different results.

If these suggestions do not work, feel free to send me an email at AzCommunity@microsoft.com ("Attn Marilee Turscak") and include your subscription ID, and I will get a one-time free support case opened to address this issue.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching the same issue.
Sandeep G-MSFT 20,796 Reputation points Microsoft Employee Moderator

2023-05-02T04:17:47.06+00:00

@DataPocalypse

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
DataPocalypse 10 Reputation points

2023-05-03T09:26:49.2666667+00:00

Hi @Sandeep G-MSFT ,

Still doesn't work.

When I add XboxLive.SignIn scope, I got an error message :

{"error":"invalid_scope","error_description":"AADSTS70011: The provided request must include a 'scope' input parameter.\r\nTrace ID: 364e1c51-1377-4267-a6bd-772a0d4ebd00\r\nCorrelation ID: df87fcf8-2edf-4a3a-9fd4-adbb26b64280\r\nTimestamp: 2023-05-03 09:18:55Z","error_codes":[70011],"timestamp":"2023-05-03 09:18:55Z","trace_id":"364e1c51-1377-4267-a6bd-772a0d4ebd00","correlation_id":"df87fcf8-2edf-4a3a-9fd4-adbb26b64280"}

I can auth with base scopes openid profile User.Read but XboxLive.SignIn break the request
DataPocalypse 10 Reputation points

2023-05-03T09:45:36.3733333+00:00

And the authorize request has the scope input :

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=HIDDEN&prompt=&redirect_uri=http://localhost:3010/users/auth/azure_activedirectory_v2/callback&scope=openid profile User.Read XboxLive.SignIn&state=HIDDEN
Marilee Turscak-MSFT 37,191 Reputation points Microsoft Employee Moderator

2023-05-03T20:36:02.2933333+00:00

@DataPocalypse ,

Just to clarify, am I correct in assuming that this is for a first party app that you are developing? If you reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, I can open a one-time free support case on your behalf. Note that you need to have a valid subscription on a billable tenant (i.e. at least a Pay-As-You-Go) subscription in order for me to enable this.
Amir Abdollahi 20 Reputation points

2023-08-02T03:17:04.5533333+00:00

Did you ever figure it out @DataPocalypse ? I am also still receiving the invalid_scope response.

Answer 1

LOSTMSU 6

I solved the issue by using https://login.microsoftonline.com/consumers authorization endpoint instead of https://login.microsoftonline.com/common This way I got the XboxLive.signin scope without adding it in advance to App Registration in Azure Portal.

E.g. with MSAL JavaScript:

const msalConfig = {
  auth: {
    clientId: ...,
    authority: 'https://login.microsoftonline.com/consumers',
  },
  ...
};

Answer 2

wouter bruijn 0

I ran into the same issue, I had the wrong scopes selected which somehow broke the whole system. Make sure you remove any unnecessary scopes. Better yet just use "offline_access XboxLive.signin".

For me it was caused by the User.Read scope

wouter bruijn 0 Reputation points

2024-02-15T20:26:15.8066667+00:00

I am a unix developer, I don't do grammar

Share via

Where is the XboxLive scope in Azure AD app?

2 answers

Your answer