I have an Entra External ID tenant with a registered public desktop app from which I want to call the APIs from an Azure Speech Service resource.
Via MSAL I log in like this:
var clientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var tenantId = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
var tenantSubdomain = "tenantsubdomain";
var scopes = new string[] { "https://cognitiveservices.azure.com/.default" };
var app = PublicClientApplicationBuilder.Create(clientId)
//.WithTenantId(tenantId) // with or without this line gets me the same result
.WithAuthority($"https://{tenantSubdomain}.ciamlogin.com/{tenantId}")
.WithDefaultRedirectUri()
.Build();
var ar = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
// ...
However, when I try to login with a user account that was created in this tenant, I receive the following error message:
Error details: error invalid_request error_description: AADSTS500207: The account type can't be used for the resource you're trying to access.
If I switch out the scope https://cognitiveservices.azure.com/.default
with https://graph.microsoft.com/.default
the login works, but the resulting token can't be used to access the speech service. The app registers the following permissions:
Microsoft Cognitive Services (1)
- user_impersonation
Microsoft Graph (5)
- email
- offline_access
- openid
- profile
- User.Read
All of them have an admin grant for the tenant. I have also added a service principal for the Microsoft Cognitive Services app and have assigned my users to it. I have also granted the Cognitive Services Speech User
role to both my users and the application on the speech resource.
Note: the scope for "user_impersonation" is https://internal.cognitiveservices.azure.us/user_impersonation
, so I don't know if that matches https://cognitiveservices.azure.com/.default
, but this was the only permission visible to me in the Entra portal under "Microsoft Cognitive Services". Also the description sounds correct to me:
Allows the application to access the Cognitive Services API acting as users in the organization.
On stackoverflow someone says that Cognitive Services can't be used from CIAM logins.
Is that true? If yes: how should I proceed for my use-case of a non-confidential public desktop app? If not true: what am I doing wrong?