Azure API Management Credentials Manager missing "scope" field for generic OAuth 2.0 CCF and Entra External ID

Taras Bilynskyi 15 Reputation points
2024-06-10T11:07:22.7266667+00:00

I have issues getting an access token using client credentials in API Management Credentials Manager.

I am using Entra External ID for external tenants as an identity provider.

Credentials Provider details:

  • Identity provider: OAuth 2.0
  • Grant type: client credentials
  • Authorization URL: empty
  • Refresh URL: empty
  • Token URL: https://<tenant id>.ciamlogin.com/<tenant id>/oauth2/v2.0/token

The error:

Failed to acquire access token for service using client credentials flow: IdentityProvider=oauth2. Correlation Id=c9b9d0e2-cf03-42a5-8e3e-0327a8841f3a, UTC TimeStamp=6/5/2024 1:24:23 PM, Error: Failed to exchange client credentials for token. Response code=BadRequest, Details: {"error":"invalid_request","error_description":"AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request. Trace ID: 14689e05-8545-45af-a0d1-3cb70a090000 Correlation ID: e04d620f-5340-42db-82fd-6e9b6a5a1553 Timestamp: 2024-06-05 13:24:23Z","error_codes":[90014],"timestamp":"2024-06-05 13:24:23Z","trace_id":"14689e05-8545-45af-a0d1-3cb70a090000","correlation_id":"e04d620f-5340-42db-82fd-6e9b6a5a1553","error_uri":"https://<tenant id>.ciamlogin.com/error?code=90014"}

And that's expected cause there is no way to provide scope.

I managed to get the token using Azure Active Directory v1 as an Identity Provider.

  • Identity provider: Azure Active Directory v1
  • Grant type: client credentials
  • Authorization URL: https://<tenant id>.ciamlogin.com
  • Resource URL: <Application ID URI>
  • Tenant Id: <tenant id>

The questions are:

  1. Can the workaround with Azure AD v1 be used in production?
  2. Is there a correct way to make it work?
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,161 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,907 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,069 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,861 Reputation points Microsoft Employee
    2024-06-18T23:35:25.0333333+00:00

    Hi @Taras Bilynskyi ,

    Both versions are supported but certain features are only supported in one or the other. For your scenario though you can instead switch the resource parameter to the scope parameter and add the default scope: {app id URI}/.default

    User's image

    See related:

    https://stackoverflow.com/questions/58523111/how-to-request-an-azure-bearer-token-properly-or-why-does-it-ask-me-to-send-a-s

    https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.