Azure AD on behalf of flow keeps failing with AADSTS65001

Question

I have been having issues with getting a token using the on behalf of flow in Azure Active Directory. Essentially I get a token from a react SPA which is sent to a middle tier .net az function, which in turn needs to create a new on behalf of token for the user, the new token is generated using the token passed by the front end application and the client id and client secret of the middle tier application

I understand there are a lot of prerequisites and I am listing everything I have implemented.

I have an AD app registration XXX_embedding which has a scope called on_behalf_of exposed whom both users and admins can consent. This will be used by a mid tier azure function Middle Tier App registration

I have another AD app registration XXX_apptest2 which is used by the front end react application, this registration has the permission of the on_behalf_of scope exposed by XXX_embedding which has been provided admin consent, The app has implicit flow enabled which includes the id token and the access token Front End App Registration

Using the front end client id, I call the authorize endpoint as below Auth Get Request Note: I have specified the on_behalf_of scope in the request

After this I am presented with a consent screen which shows the approval to the on_behalf_of scope.Consent Screen

On consenting I do get an auth token which does have the on_behalf_of scope as shown by jwt.io Scope

I am currently taking the token and using it in the following code in an az function Mid Tier Code

However when I execute this I get the following error

Error

What I am not understanding is the token clearly has the scope of the app registration used by the mid tier, however it still shows the AADSTS65001 error specifying the consent is still required.

Any help on this or any information on what is missing would be most appreciated

I was expecting the middle tier application to get a new access token using the on behalf of scope, however it shows the AADSTS65001 error specifying the consent is still required.

Answer 1

The error AADSTS65001 usually occurs if the application does not have required permissions like User.Read.All to list users.

To resolve the error, add User.Read.All permission to your middle-tier application(XXX_embedding) and make sure to grant consent to it:

Now, I ran same /authorize request in browser and got access token with scp like this:

https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize?client_id=appId&response_type=token&redirect_uri=https://jwt.ms&scope=api://xxxxxxx/on_behalf_of&response_mode=fragment&state=12345&nonce=678910&prompt=consent

In my case, I used below c# code and got the list of users with display names successfully in console:

using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models;

var scopes = new[] { "User.Read.All" };

var tenantId = "tenantId";
var clientId = "middle_tier_appId";
var clientSecret = "middle_tier_appSecret";

var options = new OnBehalfOfCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};

var oboToken = "token_from_above_request";

var onBehalfOfCredential = new OnBehalfOfCredential(
    tenantId, clientId, clientSecret, oboToken, options);

var graphClient = new GraphServiceClient(onBehalfOfCredential, scopes);
var users = graphClient.Users.GetAsync();

foreach (var user in users.Result.Value)
{
    Console.WriteLine(user.DisplayName);
}

Response:

Reference: Choose a Microsoft Graph authentication provider - Microsoft Graph