Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,149 questions
An error occurs when I login as a service principal to my app: "Token contains invalid claims"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 46%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Nikol
0
Reputation points
We have an app registration in AAD with MFA enabled and authentication configured using MSAL.
I've read that it is possible to bypass the MFA if I login as a service principal. I logged in using Azure CLI tool using Application (client) ID, Directory (tenant) ID and Secret value. Also I used "--allow-no-subscriptions" flag. Got an access token successfully.
When I am trying to use our app's API, next error is returned: "Token contains invalid claims".
What should I do to have access to my app using service principal? There are a lot of info on internet about roles within subscription/claims/scopes/resource groups. I am confused.
I would be grateful for your assistance!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 1%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Patchfox 3,811 Reputation points2023-07-31T20:36:16.76+00:00 Hi Nikol. I want to help you with this question.
You get the error because of an incorrect audience in the token. The token is for a specific recipient.
Can you tell us if you have defined an app scope in your app or if you are accessing a protected scope from Microsoft (e.g. graph.microsoft.com/User.Read)?
Please check if you send the scope in your app when you authenticate.
Could you show us, how you request the token via app?
If the problem is solved for you and all questions are answered, I would be happy if you mark the answer as accepted to close the thread.
-
Nikol 0 Reputation points
2023-08-01T09:46:53.7566667+00:00 Next scope is defined in our app and is sent to PCA when acquiring token: user_impersonation.
Also we have Microsoft_Graph permissions but they aren't used now.
-
Nikol 0 Reputation points
2023-08-01T09:48:08.3566667+00:00 The scope is sent like that:
api://${clientId}/user_impersonation -
Nikol 0 Reputation points
2023-08-01T09:52:14.5966667+00:00 *Duplicated comment accidentally
-
-
Patchfox 3,811 Reputation points
2023-08-01T15:41:19.34+00:00 Hi, thanks for your answer. Please check out this article:
It seems that you have a scope defined with your own api. Therefore you need to define the scope in the "client" app in the "Expose API" area.
Your screenshot looks like you have added the permission user_impersonation of microsoft apis. Here you need other urls in the scope e.g. https://learn.microsoft.com/de-de/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#acquire-access-tokens-silently
-
-
Nikol 0 Reputation points
2023-08-01T22:03:23.2+00:00
Sign in to comment