A colleague was trying to get access tokens via a call like this:
|
1 2 3 4 5 6 |
https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize?client_id={clientID} &response_type=code &redirect_uri={url} &response_mode=query &scope=api://{anotherAppId}/access.user https://analysis.windows.net/powerbi/api/Dataset.Read.All https://analysis.windows.net/powerbi/api/Report.Read.All &state=12345 |
It worked, but then when he tried to access the resource it failed.
I took a look at the access token and found that in case of the above call he was getting a token that looked like this:
See, it is for only one of the resources and for the scope we requested for that resource (api://{anotherAppId}/access.user). Interesting.
I asked him to flip the order such that the Power BI scopes were first. Now the token response only included the Power BI scopes.
So, lesson learnt. You can only get tokens for a single resource per call. I asked my colleague to make multiple calls for each of the resources, with their respective scopes, and now it works.
Later, Googled, and found others too confirming the same (e.g. here and here).