Azure application & graphapi scope

Question

Hi, I have an application xxx-client and a custom application scope defined as xxx-app. ![145319-image.png][2] By defining the scope xxx-app in the [v2-oauth2-auth-code-flow][1], I am able to fetch the custom roles claim like 'Role.Reader'. { "typ": "JWT", "alg": "RS256", "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680" }.{ "roles": [ "Role.Reader", "Role.Writer" ], "scp": "xxx", .... "ver": "2.0" }.[Signature] When I define multiple scopes. like (User.Read, api://xxxxApp/xxxx) or (api://xxxxApp/xxxx, User.Read) I got the graph api claims or the roles claims (depends of the scope orders) but not both of the claims. { "typ": "JWT", "nonce": "xxxxx", "alg": "RS256", "x5t": "xxx", "kid": "xxxx" }.{ "scp": "email openid profile User.Read User.ReadBasic.All", "signin_state": [ "dvc_mngd", "dvc_dmjd", "kmsi" ], ..... }.[Signature] Is it possible to get App roles and graph api claims in a single oauth2 code flow ? [1]: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow [2]: /api/attachments/145319-image.png?platform=QnA

Answer 1

Hi anonymous user • Thank you for reaching out.

Unfortunately, Azure AD doesn't support multiple audiences claim as of now. Which means, you can either specify Graph API scopes or your custom API scopes in a given authentication request.

At this time, we view unbound multi-audience tokens as a security threat that we do not support. Multi-audience bearer tokens can be replayed from one audience to the other insecurely, allowing an attacker who compromises one service to expand their footprint unnecessarily.

Our product team is investigating on proof of possession scheme, to securely support multi-audience tokens that are sender constrained. Hopefully, this will be supported in near future.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.