Azure active directory - Get access token using Azure CLI

Question

My objective is to get access token for a user for a resource( an AD app present in the tenant)

I have been able to get access token for a service principal by using

az login --service-principal -u <client-id> -p <client-secret> --tenant <tenant-id> --allow-no-subscriptions 

az account get-access-token --resource <resource-client-id>

Now when I try to achieve the same for a user by switching service-principal login by user login (az login)

az login

az account get-access-token --resource <resource-client-id>

This however gives an error

Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 19fdf309-f9ef-423b-8c18-7cd9269b0700\r\nr\nTimestamp: 2019-11-21 09:03:25Z","error_codes":[65001],"timestamp":"2019-11-21 09:03:25Z","trace_id":"19fdf309-f9ef-423b-8c18-7cd9269b0700","correlation_id":"2aafc4e4-0c1b-42b3-ba59-afe09bbe9fb5","suberror":"consent_required"}

Can someone help me understand why this is the case?

Answer 1

You are trying to get token from <APP ID Uri> using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

Go to the resource(App in AD)->Expose an API->Add client application with 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and check scope.

Then get the access token again.