Error when trying to login using Microsoft Cognitive Services in Public Desktop Client App in Entra External ID tenant

Roman Steiner 0 Reputation points
2024-09-25T13:18:28.55+00:00

I have an Entra External ID tenant with a registered public desktop app from which I want to call the APIs from an Azure Speech Service resource.

Via MSAL I log in like this:

var clientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
var tenantId = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
var tenantSubdomain = "tenantsubdomain";
var scopes = new string[] { "https://cognitiveservices.azure.com/.default" };

var app = PublicClientApplicationBuilder.Create(clientId)
        //.WithTenantId(tenantId) // with or without this line gets me the same result
        .WithAuthority($"https://{tenantSubdomain}.ciamlogin.com/{tenantId}")
        .WithDefaultRedirectUri()
        .Build();

var ar = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
// ...

However, when I try to login with a user account that was created in this tenant, I receive the following error message:

Error details: error invalid_request error_description: AADSTS500207: The account type can't be used for the resource you're trying to access.

If I switch out the scope https://cognitiveservices.azure.com/.default with https://graph.microsoft.com/.default the login works, but the resulting token can't be used to access the speech service. The app registers the following permissions:

Microsoft Cognitive Services (1)
 - user_impersonation

Microsoft Graph (5)
 - email
 - offline_access
 - openid
 - profile
 - User.Read

All of them have an admin grant for the tenant. I have also added a service principal for the Microsoft Cognitive Services app and have assigned my users to it. I have also granted the Cognitive Services Speech User role to both my users and the application on the speech resource.

Note: the scope for "user_impersonation" is https://internal.cognitiveservices.azure.us/user_impersonation, so I don't know if that matches https://cognitiveservices.azure.com/.default, but this was the only permission visible to me in the Entra portal under "Microsoft Cognitive Services". Also the description sounds correct to me:

Allows the application to access the Cognitive Services API acting as users in the organization.

On stackoverflow someone says that Cognitive Services can't be used from CIAM logins. Is that true? If yes: how should I proceed for my use-case of a non-confidential public desktop app? If not true: what am I doing wrong?

Azure AI Speech
Azure AI Speech
An Azure service that integrates speech processing into apps and services.
1,698 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,545 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,887 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,861 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.