-
Notifications
You must be signed in to change notification settings - Fork 29
Failure to obtain token with ConfidentialClient - Azure Government #48
Comments
Hi, $clientId = "clientId" Get-MsalToken -ClientId $clientId -ClientSecret $secret -TenantId $TenantId -Scopes $scopes -AzureCloudInstance AzureChina |
I'll just piggy back this... I spent the last 90 minutes troubleshooting connecting to Azure Gov with the same error and I got it through finally. Similar I think to issue #45 The "AzureCloudInstance" parameter appears to do nothing. I tried ton of variations and always got an error and in the end I you don't need it. On your Application Registration in Azure AD check a couple of things... There needs to be a redirect URI for When performing the request, define the authority, redirect URI, and you must specify the Azure Gov related URI scopes. The scopes one almost got me. By default it does not provide the contextual Azure Government scopes even when the Cloud Instance parameter is set. Example using the Graph API: Define these:
Example for Graph API with custom App Registration. This is forcing interactive and will request you login to the application. $cloud = 'AzureUSGovernment' # You can remove the param below and it'll still work.
$AppRegistrationClientID ='xxxxx' # your own client id.
$msal= Get-MsalToken -ClientId $AppRegistrationClientID -AzureCloudInstance $cloud -Interactive -RedirectUri 'https://login.microsoftonline.us/common/oauth2/nativeclient' -Authority 'https://login.microsoftonline.us/common' -Scopes 'https://graph.microsoft.us/.default'
$msal |
Yeah, it appears MSAL.NET added a requirement to define the AzureCloudInstance when creating the client app definition. MSAL.PS handles this automatically if you just call Get-MsalToken directly. I do not have the bandwidth to fix this right now but you can workaround it in a couple different ways. @benatsb called out one way which is to specify the Authority directly. The other way is to manually create your client app definition first like below. It only works if you specify a tenantId as well for some reason. $ClientApp = New-MsalClientApplication -ClientId a16fa73c-ee98-43ee-900c-ddfa5a687877 -AzureCloudInstance AzureUsGovernment -TenantId jasoth.onmicrosoft.us
$MsalToken = $ClientApp | Get-MsalToken -Scopes 'https://graph.microsoft.us/.default' |
No matter the permutation here I seem to keep getting the following error:
The text was updated successfully, but these errors were encountered: