Request token via `az account get-access-token` for Graph using multiple scopes

[christothes]

Describe the bug

Azure.Identity invokes AzureCLI for token requests in its AzureCliCredential implementation. I am wondering if there is a way to invoke az account get-access-token to get a token for Azure Graph with multiple scopes. In the comment of this issue, I tried it a few different ways and it wasn't clear how it can be done.

Currently in Azure.Identity, we only allow a single scope and pass it to the --resource switch on the CLI. But if we wanted to allow multiple scopes, it is unclear how we would call the CLI to do this. Is it true that this is not possible, or is there a syntax that would work here?

Related command

az account get-access-token

Errors

Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614471, Tag: 508634083
Please explicitly log in with:
az login --scope https://graph.microsoft.com/.default User.Read

Issue script & Debug output

n/a

Expected behavior

CLI can fetch a token for multiple scopes.

Environment Summary

azure-cli 2.67.0 *

core 2.67.0 *
telemetry 1.1.0

Extensions:
azure-dev 0.0.1b1532057
azure-devops 1.0.1
serial-console 0.1.6
ssh 2.0.2

Dependencies:
msal 1.31.0
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\chriss.azure\cliextensions'

Python (Windows) 3.12.7 (tags/v3.12.7:0b05ead, Oct 1 2024, 02:44:45) [MSC v.1941 32 bit (Intel)]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @christothes,

2.67.0 is not the latest Azure CLI(2.69.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[christothes]

Hi @yonzhan Can you provide an update on this issue, please?

[jiasli]

Azure CLI >= 2.72.0 will show the error message instead of (pii) from Azure/azure-sdk-for-net#48240 (comment) (#28954).

> az account get-access-token --scope https://graph.microsoft.com/.default User.ReadWrite.All
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid aza https://graph.microsoft.com/.default profile User.ReadWrite.All offline_access openid is not valid. .default scope can't be combined with resource-specific scopes. Trace ID: 08b59cce-76f7-42ce-9a8f-cb6ef6e20d00 Correlation ID: 69985f66-6b6b-4de3-9762-9a65299727cc Timestamp: 2025-06-04 09:55:20Z. Status: Response_Status.Status_IncorrectConfiguration, Error code: 3399614471, Tag: 508634083

Currently in Azure.Identity, we only allow a single scope and pass it to the --resource switch on the CLI.

For az account get-access-token, --resource is for ADAL authentication and should not be used anymore. We recommend using --scope instead.

Azure CLI's first party app 04b07795-8ddb-461a-bbee-02f9e1bf7b46 is pre-authorized with these delegated permissions:

• AuditLog.Read.All
• Directory.AccessAsUser.All
• Group.ReadWrite.All
• User.ReadWrite.All

Using https://graph.microsoft.com//.default as scope should already give you all the delegated permissions Azure CLI possesses. See https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-default-scope

For example, this is the scp claim decoded (using https://jwt.ms/) from my personal access token retrieved by az account get-access-token --scope https://graph.microsoft.com//.default:

  "scp": "AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All",

Specifying individual permission as scope works:

az account get-access-token --scope https://graph.microsoft.com/Group.ReadWrite.All
az account get-access-token --scope https://graph.microsoft.com/User.ReadWrite.All

though the scp claim doesn't change and still contains all delegated permissions:

  "scp": "AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All",

This was explained in AzureAD/microsoft-authentication-library-for-python#665.

Specifying both delegated permissions gives error

> az account get-access-token --scope https://graph.microsoft.com/Group.ReadWrite.All User.ReadWrite.All
Token response failed because declined scopes are present:'user.readwrite.all'. Status: Response_Status.Status_ApiContractViolation, Error code: 0, Tag: 593794722

I am not sure if specifying multiple delegated permissions is possible.