[Bug] ApiContractViolation. Token response failed because declined scopes are present

[mvanchaa]

Library version used

4.65.0

.NET version

net 8.0

Scenario

PublicClient - desktop app

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

Users of azureauth have recently been reporting WAM failures intermittently due to "token response failed because declined scopes are present". They are trying to authenticate to Azure DevOps with default scope. And the failures are intermittent, the same user would see broker succeeding the same scope, resource and client combination.

Correlation ID: b15d6aef-18ed-4016-afb7-53bad3e90b7a
Exception Type: Microsoft.Identity.Client.MsalServiceException
WAM Error
Error Code: 0
Error Message: ApiContractViolation
WAM Error Message: Token response failed because declined scopes are present:'(pii)'
Internal Error Code: 593794722
Possible causes:

• Invalid redirect uri - ensure you have configured the following url in the application registration in Azure Portal: ms-appx-web://microsoft.aad.brokerplugin/872cd9fa-d31f-45e0-9eab-6e460a02d1f1

Relevant code snippets

Expected behavior

WAM should succeed. If there is an issue with redirect uri configuration, it shouldn't fail intermittently. It should fail all the time.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Bug] Unable to login with WAM when an app scope is used #5074

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Use AcquireTokenInteractive only with User.Read scope to login, then use AcquireTokenSilent with the app scope and passing as second parameter result.Account (result of the first authentication with WAM). This will work only if the user had already given consent previously or if the tenant administrator has set consent.

Reference:

• [Bug] Unable to login with WAM when an app scope is used #5074 (comment)

Powered by issue-sentinel

[mvanchaa]

Here are some similar issues that might help you. Please check if they can solve your problem.

• [Bug] Unable to login with WAM when an app scope is used #5074

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Use AcquireTokenInteractive only with User.Read scope to login, then use AcquireTokenSilent with the app scope and passing as second parameter result.Account (result of the first authentication with WAM). This will work only if the user had already given consent previously or if the tenant administrator has set consent.

Reference:

• [Bug] Unable to login with WAM when an app scope is used #5074 (comment)

Powered by issue-sentinel

The error message is same, but the issues are not related.
The failure is intermittent and is succeeding with the given scope.