[Bug] Unable to login with WAM when an app scope is used #5074
Description
Library version used
4.67.1
.NET version
9.0
Scenario
PublicClient - desktop app
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
If you try to login with WAM with a scope created by an app it throw an exception.
The exception message is (HResult -2146233088):
WAM Error
Error Code: 0
Error Message: ApiContractViolation
WAM Error Message: Token response failed because declined scopes are present:'(pii)'
Internal Error Code: 593794722
Possible causes:
- Invalid redirect uri - ensure you have configured the following url in the application registration in Azure Portal: ms-appx-web://microsoft.aad.brokerplugin/
Relevant code snippets
var app = PublicClientApplicationBuilder.Create(_clientId)
.WithAuthority($"https://login.microsoftonline.com/{_tenantId}")
.WithParentActivityOrWindow(() => windowHandle)
.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows) { Title = "Login account" })
.WithDefaultRedirectUri()
.Build();
try
{
var authenticationResult = await app.AcquireTokenInteractive(_scopes)
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync();
}
catch (MsalException ex)
{
...
}
_scopes is an array of string: [ "User.Read", "api://client-id/vpn_access" ]Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
Use AcquireTokenInteractive only with User.Read scope to login, then use AcquireTokenSilent with the app scope and passing as second parameter result.Account (result of the first authentication with WAM).
This will work only if the user had already given consent previously or if the tenant administrator has set consent.