Scopes Not Returned w/ Client Credential Flow

Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?


In my experiment, I configured 2 Azure AD applications, one for a Web API and one for a client (Web API Client A). I added a scope to the Web API but when requesting the access token via the client credential flow, the scope wasn’t returned. 🤔

Also, it only allowed me to request an access token when using .default for a scope, i.e. api://web-api-client-credential-flow/.default.

scopes screenshot

web api client a api permissions

I ran across this Azure Feedback item: V2.0 Client Credentials Implement Scopes so it appears scopes aren't supported in Azure AD under the client credential flow?

What’s the point in giving my Web API Client A application permissions for that scope if they are not returned? How could the Web API know if the daemon application has that scope to perform the necessary action?

It would seem I would have to use application permissions?


Solution 1:

Yes, you have to use application permissions.

Scopes aka delegated permissions only apply when a user is involved in the login process. They allow you to act on behalf of a user.

Application permissions are sort of roles given to the application itself. They only apply when doing client credentials authentication, where no user is involved. You can define application permissions on the app via the Manifest in the app registration. These can then be assigned to the client application. When getting the token, you must use .default because you cannot change your app permissions dynamically. You always get what has been granted already. In the token the permissions will be in a roles claim.

Solution 2:

Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?

No, but you can define application permission(s) via the manifest (definitely not as nice as the UI for delegated scopes) and have them returned via the client credential flow:

manifest config screenshot

Then you can provide the client app permission:

client permission grant screenshot

Now when requesting a token with a scope of api://web-api-client-credential-flow/.default the "scopes" are returned in the roles claim. Sample JWT

jwt screenshot of roles