Question 104922 in Azure Question posted in
The official documentation to get you started can be found here.

Can I get a v2 (MSAL) token for both management.azure.com and vault.azure.net audiences?

The goal is to have an application, running on the user’s computer authenticated as either themselves or a service principal, that can perform Azure resource management operations and Key Vault secret (data plane) operations.

So far, the resource operations are working fine with the management.azure.com audience, but the Key Vault data operations naturally fail with an error

Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com

I’ve pored over the docs but it’s not entirely clear to me if it’s possible to have a single token for both audiences? Here, e.g., it suggests you can simply request multiple scopes, but other sources seem to say they must be for the same resource?

Several of MSAL’s token acquisition methods require a scopes parameter. The scopes parameter is a list of strings that declare the desired permissions and the resources requested.

A single token would vastly simplify the application, similar to how ADAL used to work.

Tags:

2

Answers


  1. 0

    I tried to reproduce in my environment and got below results:

    Invalid audience. Expected
    https://vault.azure.net , found: https://management.azure.com

    The above error refers that audience of your token to call Azure Keyvault REST API you need to call the audience with https://vault.azure.net

    I tried with postman to get token in my environment, ensure you have Registered AD application and keyvault with right process.

    Before that check your Azure Keyvault policy and secrets to ensure that no Authorized application is chosen, and use a service principle rather than an application to access the secret.

    enter image description here

    When I tried with scope https://management.azure.com in postman and got access token.

    enter image description here

    Then I copied the token to call the REST API to set secret.I got similar error.

    enter image description here

    When I tried with scope https://vault.azure.net I got an output sucessfully.

    enter image description here

    Then I copied the token and called API & set secret, it will work fine.

    enter image description here

    When I decoded token i’m getting aud with jwt.ms

    enter image description here

    Reference:

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

    Login or Signup to reply.
  2. 0

    You cannot acquire one token for multiple audiences in AAD. This is not supported for token acquisition and also not by the actual services. This is not a MSAL limitation, ADAL cannot do this either. ADAL might request/store multiple tokens internally. You need to manage multiple tokens in this case.

    Everything documented by Venkatesan is correct, just giving it a bit more context as an explanation.

    See also https://github.com/MicrosoftDocs/azure-docs/issues/82875

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search