Can't Authorize to Azure App Configuration using Azure AD token

%3CLINGO-SUB%20id%3D%22lingo-sub-3463261%22%20slang%3D%22en-US%22%3ECan't%20Authorize%20to%20Azure%20App%20Configuration%20using%20Azure%20AD%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3463261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20are%20developing%20MS%20Teams%20Tab%20app%20that%20trying%20to%20use%20Azure%20AD%20token%20to%20access%20our%20App%20Configuration.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20use%20this%20token%20to%20fetch%20Office%20365%20contacts%20using%20Graph%20Service%20and%20it's%20working%20as%20expected%20but%20when%20we%20try%20to%20use%20same%20token%20to%20access%20App%20Configuration%20we%20created%20we%20get%20%3CEM%3E401%20Unauthorized%20error%3C%2FEM%3E.%26nbsp%3B%3CEM%3EBearer%20error%3D%22invalid_token%22%2C%20error_description%3D%22Authorization%20token%20failed%20validation%22.%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EEndpoint%20we%20use%20for%20fetching%20token%20is%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSPAN%3E'%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%7BtenatdId%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%7BtenatdId%3C%2FA%3E%7D%3C%2FSPAN%3E%3CSPAN%3E%2Foauth2%2Fv2.0%2Ftoken'%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EScope%20we%20are%20using%20is%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E'User.Read%20User.ReadBasic.All%20Contacts.Read%20openid%20profile%20offline_access'%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIf%20we%20add%26nbsp%3B%3CSTRONG%3EKeyValue.Read%3C%2FSTRONG%3E%20to%20the%20scope%20we%20get%20%3CEM%3E503%20response%20-%20Service%20unavailable%3C%2FEM%3E.%3C%2FP%3E%3CP%3EIn%20our%20App%20Registration%20we%20have%20granted%20permissions%20for%20AppConfiguration%26nbsp%3B%20KeyValue.Read%20and%26nbsp%3BKeyValue.Write.%3C%2FP%3E%3CP%3EWe%20are%20using%20Microsoft%20App%20Configuration%20client%20for%20JavaScript%20and%20created%20a%20custom%20implementation%20of%20the%20TokenCredential%20interface%20which%20returns%20the%20token%20mentioned%20above%20in%20its%20getToken()%20method.%3C%2FP%3E%3CP%3EIs%20there%20any%20other%20configuration%20needed%20or%20what%20are%20we%20doing%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3463261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzureAD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMSTeamsDev%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

We are developing MS Teams Tab app that trying to use Azure AD token to access our App Configuration. 

We use this token to fetch Office 365 contacts using Graph Service and it's working as expected but when we try to use same token to access App Configuration we created we get 401 Unauthorized errorBearer error="invalid_token", error_description="Authorization token failed validation".

Endpoint we use for fetching token is 'https://login.microsoftonline.com/{tenatdId}/oauth2/v2.0/token'

Scope we are using is 'User.Read User.ReadBasic.All Contacts.Read openid profile offline_access'

If we add KeyValue.Read to the scope we get 503 response - Service unavailable.

In our App Registration we have granted permissions for AppConfiguration  KeyValue.Read and KeyValue.Write.

We are using Microsoft App Configuration client for JavaScript and created a custom implementation of the TokenCredential interface which returns the token mentioned above in its getToken() method.

Is there any other configuration needed or what are we doing wrong?

 

2 Replies
@forst19 - Could you please confirm is above documents helped you in any way or are you still facing the issue?