Issue with Acquiring Access Token silently in android with scope "Teams.ManageCalls"

Question

Hello,

I'm developing an Android (kotlin android compose) app using Azure Communication Services to enable calls from the app to Microsoft Teams users. To initiate these calls, I need a teamsAccessToken. I’ve set up MSAL to acquire the user’s access token with the necessary scopes (https://auth.msft.communication.azure.com/Teams.ManageCalls), then convert it to a Teams access token.

Currently, I’m manually creating this token to test the functionality, and it works as expected. However, now I need to automate this process. When I use acquireTokenWithDeviceCode with the same scope, I successfully obtain the user access token. But if I try to use acquireTokenSilent or acquireToken with the same scope, I encounter an error: "Error: Some or all requested scopes have been declined by the Server". The application has the correct API permission and I have given them Admin consent even though I did not need to.

Since the app will run in Kiosk mode, I want to avoid frequent manual re-authentication. My goal is to automate token acquisition on the device itself without needing a separate server.

Questions:

1. Why do I get the error with acquireTokenSilent using the scope https://auth.msft.communication.azure.com/Teams.ManageCalls that work with acquireTokenWithDeviceCode?
2. Is there a way to make acquireTokenSilent work with these scopes, or should I consider a different approach for handling token refresh in Kiosk mode? like setting up server that handled the authentication part

Answer 1

1.Why do I get the error with acquireTokenSilent using the scope https://auth.msft.communication.azure.com/Teams.ManageCalls that work with acquireTokenWithDeviceCode?

The error you're encountering with acquireTokenSilent is likely due to the fact that some scopes, such as https://auth.msft.communication.azure.com/Teams.ManageCalls, require user interaction for consent. When you use acquireTokenWithDeviceCode, it involves user interaction, which allows the user to grant the necessary permissions. However, acquireTokenSilent does not involve user interaction and relies on previously granted permissions. If the required permissions were not granted during the initial interactive authentication, acquireTokenSilent will fail.
Reference Document-https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/manage-teams-identity?pivots=programming-language-csharp

2. Is there a way to make acquireTokenSilent work with these scopes, or should I consider a different approach for handling token refresh in Kiosk mode?

To make acquireTokenSilent work with these scopes, you need to ensure that the user has already granted the necessary permissions during an interactive authentication flow.

• Ensure that the user goes through an interactive authentication flow at least once to grant the necessary permissions. After that, acquireTokenSilent should work as long as the token is still valid.
• Implement token caching to store the access token and refresh token securely on the device. This way, you can use the refresh token to obtain a new access token without requiring user interaction.
• As mentioned in the Microsoft Learn article , it's recommended to implement the token exchange mechanism in backend services. This approach involves having a backend service that handles the authentication and token refresh process, which can then provide the access token to the device.
• Implement logic to handle token expiry by catching the MsalUiRequiredException and prompting the user to re-authenticate interactively if necessary.

Given that your app will run in Kiosk mode, setting up a backend service to handle the authentication part might be the most robust solution. This way, you can avoid frequent manual re-authentication and ensure a seamless user experience.