Token Perms : Get Windows LAPS through deviceLocalCredentials with InteractiveBrowserCredentials.

[LincolnKermit]

Hello,

I've been stuck on a small problem since one week.

The problem is, during the developpement i used a graph api key and everything worked fine.

Since, I want to push it to prod, I was asked to use InteractiveBrowserCredentials.

I set up everything and everything works fine except when I request this endpoint:

f"https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials('device_managed_id')?$select=credentials,deviceName"

I got the following error:

{'error': {'code': 'authorization_error', 'message': "Failed to authorize, token doesn't have the required permissions.", 'innerError': {'date': '2024-10-29T10:36:30', 'request-id': 'xxxxxxxxx', 'client-request-id': 'xxxxxxxxx'}}}

However, my scope and login process is the following:

scopes = [
    "https://graph.microsoft.com/DeviceManagementManagedDevices.Read.All",
    "https://graph.microsoft.com/Directory.Read.All",
    "https://graph.microsoft.com/User.Read.All",
    "https://graph.microsoft.com/Directory.AccessAsUser.All"
]
def get_token():
    credential = InteractiveBrowserCredential(
        additional_allowed_tenants=["*"],
        client_id=AZURE_CLIENT_ID,
        tenant_id=AZURE_TENANT_ID,
    )
    client = SecretClient(vault_url=VAULT_URL, credential=credential)
    token = credential.get_token(*scopes).token
    return token, client

AZURE_CLIENT_ID and AZURE_TENANT_ID are definied.
The app is on app desktop mode.

When I decrypt my token with jwt.io and see the scope section, I got the following:

"scp": "DeviceManagementManagedDevices.Read.All Directory.AccessAsUser.All Directory.Read.All openid profile User.Read User.Read.All email"

Note that, I can access Mac OS Device and all others infos about user, but it's blocking at the endpoint saying earlier.

Sincerely,

LincolnKermit