User gets consent for several resources using MSAL.NET

The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the .WithExtraScopeToConsent builder method.

Note

Getting consent for several resources works for Microsoft identity platform, but not for Azure AD B2C. Azure AD B2C supports only admin consent, not user consent.

For example, if you have two resources that have 2 scopes each:

  • https://mytenant.onmicrosoft.com/customerapi (with 2 scopes customer.read and customer.write)
  • https://mytenant.onmicrosoft.com/vendorapi (with 2 scopes vendor.read and vendor.write)

You should use the .WithExtraScopeToConsent modifier which has the extraScopesToConsent parameter as shown in the following example:

string[] scopesForCustomerApi = new string[]
{
  "https://mytenant.onmicrosoft.com/customerapi/customer.read",
  "https://mytenant.onmicrosoft.com/customerapi/customer.write"
};
string[] scopesForVendorApi = new string[]
{
 "https://mytenant.onmicrosoft.com/vendorapi/vendor.read",
 "https://mytenant.onmicrosoft.com/vendorapi/vendor.write"
};

var accounts = await app.GetAccountsAsync();
var result = await app.AcquireTokenInteractive(scopesForCustomerApi)
                     .WithAccount(accounts.FirstOrDefault())
                     .WithExtraScopeToConsent(scopesForVendorApi)
                     .ExecuteAsync();

This will get you an access token for the first web API. Then, to access the second web API you can silently acquire the token from the token cache:

AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync();