Acquire single token for multiple scopes microsoft entra id

Question

I have an asp.net core web api project. This project uses azure entra id for authentication. I have registered 2 apps in this entra one for react client app and second for asp.net core web apis. This web api project has 2 modules one mes which is secured with this scope "api://********-****-****-****-************/Mes" and other user management which required above scope plus these graph api scopes,

 "User.Read",
 "Directory.ReadWrite.All",
 "User.Invite.All"

Now on react app I'm using msal-react and msal-browser for login and attaining token but when i am trying to get a singular token for all these scopes so that I get access to all apis with single token I only get token for either mes scope or graph api scopes

const loginRequest = {
  scopes: [
    "api://********-****-****-****-************/Mes",
    "User.Read",
    "Directory.ReadWrite.All",
    "User.Invite.All",
  ],
};

const handleLogin = async () => {
  try {
    let auth = await instance.loginPopup(loginRequest);
    localStorage.setItem("user", JSON.stringify(auth));
    localStorage.setItem("access_token", auth.accessToken);
    return auth;
  } catch (error) {
    if (error instanceof AuthError && error.errorCode === 'user_cancelled') {
      console.log('User cancelled the login flow');
      return rejectWithValue('User cancelled the login flow');
    } else {
      console.error('Login error:', error);
      throw rejectWithValue(error.message);
    }
  }
};

When I'm requesting all scopes together in login request, its only providing token for graph api, to get token for mes i must request it alone in login request. Purpose of this question is to find a way that let me get single token for all these scopes.

Answer 1

Simple answer is that you can't.

A token can be acquired for multiple scopes if all those scopes belong to same resource. For example, in a single request you can acquire token for User.Read, Directory.ReadWrite.All and User.Invite.All scopes because they are part of Graph API resource.

To acquire token for your API, you will need to make a separate request as it is a completely different resource.

Answer 2

Note that: You cannot generate access token for multiple resources that is Web API and Microsoft Graph. You need to generate two access token one for API and one for Graph.

Created a Microsoft Entra ID application and granted below API permissions:

Generated access token via Postman by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:api://XXX/readaccess User.Read Directory.ReadWrite.AlL User.Invite.All
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

• The access token got generated with the scope as api://XXX/readaccess but Microsoft Graph scope isn't included in the access token.
• If you are passing multiple resources, then while generating the access token it will consider only the first scope while generating the access token.
• Hence, generate separate tokens for different resources.

Reference:

I want to get multiple access token for my multiple scopes. How can I do that with only one user sign in? - Microsoft Q&A by Shweta Mathur