CODEWITHSUNDEEP
sharepointmicrosoft-graph-apiazure-ad-msal
Alex L
Alex L

Reputation: 1089

Microsoft MSAL - aquire token to multiple scopes

In Azure Active Directory, I have an app that need to use both MicrosoftGraphAPI and SharePointAPI with the following scopes:

GraphAPI scopes:

"https://graph.microsoft.com/User.Read.All",
"https://graph.microsoft.com/Group.Read.All",
"https://graph.microsoft.com/Sites.Read.All",
"https://graph.microsoft.com/Calendars.Read.Shared",
"https://graph.microsoft.com/MailboxSettings.Read",
"https://graph.microsoft.com/Files.Read.All"

SharePointAPI scopes:

"https://microsoft.sharepoint-df.com/AllSites.Read",
"https://microsoft.sharepoint-df.com/AllSites.FullControl",
"https://microsoft.sharepoint-df.com/User.Read.All"

I'm trying to get token for for the app:

from msal import PublicClientApplication
AUTHORITY = 'https://login.microsoftonline.com/common'

scopes = [ "https://microsoft.sharepoint-df.com/AllSites.Read",
           "https://microsoft.sharepoint-df.com/AllSites.FullControl",
           "https://microsoft.sharepoint-df.com/User.Read.All"
           "https://graph.microsoft.com/User.Read.All",
           "https://graph.microsoft.com/Group.Read.All",
           "https://graph.microsoft.com/Sites.Read.All",
           "https://graph.microsoft.com/Calendars.Read.Shared",
           "https://graph.microsoft.com/MailboxSettings.Read",
           "https://graph.microsoft.com/Files.Read.All"
         ]

app = PublicClientApplication(client_id, authority=AUTHORITY)
flow = app.initiate_device_flow(scopes=scopes)

But after approving the app in the WebUI, I get the following error:

'error_description': 'AADSTS28000: Provided value for the input parameter scope is not valid 
because it contains more than one resource. Scope https://graph.microsoft.com/Calendars.Read.Shared 
https://graph.microsoft.com/Files.Read.All https://graph.microsoft.com/Group.Read.All 

https://graph.microsoft.com/MailboxSettings.Read https://graph.microsoft.com/Sites.Read.All 

https://graph.microsoft.com/User.Read.All https://microsoft.sharepoint-df.com/AllSites.FullControl 
https://microsoft.sharepoint-df.com/AllSites.Read https://microsoft.sharepoint-df.com/User.Read.All 
offline_access openid profile is not valid'

Upvotes: 6

Views: 14048

Answers (2)

Ε Г И І И О
Ε Г И І И О

Reputation: 12371

Here's a good resource for fixing your issue: https://camerondwyer.com/2022/03/11/how-to-combine-graph-sharepoint-permission-consent-into-a-single-msal-dialog-on-first-use/

If you happen to use a MSAL.js wrapper like the one available for Angular, this works out of the box via its interceptor. You only need to supply all the scopes in the login request and once user gives consent, the access tokens for specific resources are silently fetched on demand.

Upvotes: 1

AlfredoRevilla-MSFT
AlfredoRevilla-MSFT

Reputation: 3505

That's the expected behavior. You cannot mix resources (graph, sharepoint, etc) but you can acquire 1 access token for each additional resource using the same refresh token.

You can achieve this in MSAL calling the following method:

PublicClientApplication.AcquireTokenByRefreshToken(IEnumerable<string> scopes, string refreshToken);

Upvotes: 8

Related Questions