Share via

B2C support use the client ID as the scope but AAD doesn't.

Zhicheng Liu (CSI Interfusion Inc) 1 Reputation point
2021-10-14T02:56:49.557+00:00

I realize that B2C support use Client ID as scope: https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens#openid-connect-scopes

This is a very interesting feature and sometimes very effective. But in AAD, which doesn't support this feature.
When i try to use Client ID as scope. I will get the error:

The application 'xxx-xxx' asked for scope 'xxx-client-xxx' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'

It seems that which use AAD Graph as default resource server.

Is there any reason that AAD shouldn't support this feature?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2021-10-14T09:40:35.237+00:00

    Hi @Zhicheng Liu (CSI Interfusion Inc) • Thank you for reaching out.

    Azure AD does support application ID to be used in the scope parameter of the authentication request. However, you have to provide the scope name along with the application ID like 70072b3b-xxxx-xxxx-xxxx-394ae41ec45e/.default or with specific scope like 70072b3b-3966-47d1-8f3f-394ae41ec45e/read. With V2 endpoint, you cannot use only the app ID as scope. Please find below snip for your reference:

    140563-image.png

    If you want to use only the App ID, you may use V1 endpoint which uses resource parameter instead of scope and allows the use of only the app ID. Please refer to below screenshot:

    140507-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Zhicheng Liu (CSI Interfusion Inc) 1 Reputation point
    2021-10-15T10:23:43.337+00:00

    Hi, @AmanpreetSingh-MSFT , Thanks for your explain.
    Sorry i have another question here.
    If I use the B2C authorization code process, I can specify the scope I need by specifying &scope. However, in AAD, once a user has authorized a certain scope of an application, subsequent requests will be returned regardless of whether the scope is included in &scope. Is there a way to specify the scope I need to return?

    Here is my request for AAD, even the scope i requested is just user.read and openid, which return all the scopes which i have ever authorized.
    140760-57396a98f577a3b083c9fa703d99c02.png

    Here is my request for B2C, which only returned the scope i asked in scope, which is great.
    140858-20600c02acf6f422b51ffe47051e623.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.