Msal-Angular v1 - acquireTokenPopup/LoginPopup returns an Access Token with Insufficient Privileges even after granting admin consent

Question

We are receiving an invalid accessToken with empty scopes on the first grant of admin consent. If the user retries again - we call the acquireTokenPopup and the accessToken becomes valid.

Reproduction Steps

Step 1: Admin clicks the log in button (loginPopup)

Step 2: MS prompts login and admin consent page (We need User.Read.All)

Step 3: We call acquireTokenSilent() to acquire for Access Token as the AuthenticationProvider of our Graph Client

Step 4: Graph API /users request returns 403 - insufficient permission

Core Library: @azure/msal or msal

Core Library Version: 1.4.8

Wrapper Library: @azure/msal-angular

Wrapper Library Version: 1.1.2

Angular: 7

I've created a GitHub Issue ticket here: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/3524

Use https://jwt.ms/ to parse the token and provide screenshots. — Carl Zhao, Apr 26 '21 at 07:54
Go to API permissions to provide screenshots. https://i.stack.imgur.com/39b0J.png — Carl Zhao, Apr 26 '21 at 08:15
Are you granting delegated permissions or application permissions? Do you grant administrator consent for this permission? — Carl Zhao, Apr 26 '21 at 08:22
i'm good with the permissions, its just that right after granting of consent, the access token still doesn't have the permission. When the user retries logging in again, the accessToken is valid already. It seems there's a bit of a delay? — smiranda, Apr 26 '21 at 09:01

score 0 · Accepted Answer · answered Apr 26 '21 at 09:56

0

When you add permissions to the application, you must grant the tenant-wide administrator consent for the application. However, there will be a short delay whether it is granting the administrator consent in the Azure portal or using the administrator consent URL.

If you request an access token immediately after obtaining the administrator’s consent, it may cause the token to lack permissions. In this case, you only need to refresh, and then try to obtain the token again.

In addition, you must ensure that the token is obtained after the administrator consent, otherwise the original token will still not contain the new permissions.

answered Apr 26 '21 at 09:56

Carl Zhao

8,543
2
11
19

Thanks for your help Carl, do you know where this is documented so we can put it forward for acceptance? – smiranda Apr 26 '21 at 10:20
The official document does not explain this. In fact, you are definitely not the only one who encounters delays. I have answered [similar questions](https://stackoverflow.com/questions/65846011/authorization-identitynotfound-on-microsoft-graph-api-request-first-time/65871697#65871697) before. Therefore, I think you can [request support](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) from Microsoft. – Carl Zhao Apr 27 '21 at 08:07

Msal-Angular v1 - acquireTokenPopup/LoginPopup returns an Access Token with Insufficient Privileges even after granting admin consent

1 Answers1