This compiles in startup.cs:

string[] initialScopes = Configuration.GetValue<string>("GraphApi:Scopes")?.Split(' ');

services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddMicrosoftGraph();

However, since I'm working on an API controller only, and not a web app, I want to do this instead:

string[] initialScopes = Configuration.GetValue<string>("GraphApi:Scopes")?.Split(' ');

services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
                .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                .AddMicrosoftGraph();

However, this does not compile. At least not with Microsoft.Identity.Web v1.0. Intellisense tells me that string[] is not assignable to parameter type ConfidentialClientApplicationOptions.

The difference is that AddMicrosoftIdentityWebApiAuthentication returns a MicrosoftIdentityWebApiAuthenticationBuilder whereas the former returns a `MicrosoftIdentityAppCallsWebApiAuthenticationBuilder.

Is there a work-around here?

What I'm trying to accomplish, is to ensure that the scope is set correctly when the Graph access token is requested. Currently, this does not seem to be the case, as I get an error like this when trying call Graph - e.g. await graphServiceClient.Applications.Request().GetAsync();.

---> Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent. 
 ---> MSAL.NetCore.4.18.0.0.MsalUiRequiredException: 
    ErrorCode: user_null
Microsoft.Identity.Client.MsalUiRequiredException: No account or login hint was 

In other words, what I need is an application access token which looks like this:

[...more json]
{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/{tenant id}/",
  "iat": 1602055659,
  "nbf": 1602055659,
  "exp": 1602059559,
  "aio": "[...]",
  "app_displayname": "My app",
  "appid": "{App id guid}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenant id}/",
  "idtyp": "app",
  "oid": "{guid}",
  "rh": "[...]",
  "roles": [
    "Application.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Directory.Read.All",
    "Application.Read.All"
  ],
  "sub": "{guid}",
  "tenant_region_scope": "EU",
  "tid": "{tenant id}",
  "uti": "[...]",
  "ver": "1.0",
  "xms_tcdt": 1597308440
}.[Signature]

I can generate the above manually with Postman and if I use it, it works. Confirming that the configuration of the Application is correct in Azure AD.

2

There are 2 answers

0
1iveowl On BEST ANSWER

Apparently, using an application access token is current not yet supported.

IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user #667

0
omarmallat On

use

.AddMicrosoftGraph(Configuration.GetSection("GraphAPI"))

and make sure you appsettings.json contains the following (use the Scope you want separated by space):

  "GraphAPI": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "user.read mail.read",
    "DefaultScope": "https://graph.microsoft.com/.default"
  }