How to get token from MS identity without passing a scope

Gagandeep Singh 0

I'm trying to secure Azure functions with easy authentication. .V1 version of MS identity gives us the ability to request token without providing the scope or resource but it sets the aud claim to GUID : 00000002-0000-0000-c000-000000000000 (which i believe is the default GUID for Entra id)

I'm trying to understand the implications if I add this GUID to the allowed audience of function app. For context request is being made from a SAAS application that does not send scope while getting token from provider.

Ranashekar Guda 580 Reputation points Microsoft External Staff

2025-03-10T17:57:53.3333333+00:00
Hi @Gagandeep Singh,

Adding the default GUID (00000002-0000-0000-c000-000000000000) to your Azure Function's allowed audience may allow tokens intended for Microsoft Graph or other services to access your function, posing a security risk. It's better to specify a more targeted audience and scope in the token request, ensuring the token is meant for your application or API. In Azure AD v2.0, you can specify custom scopes to ensure the token is valid for your function and more securely manage authentication, instead of relying on the default GUID.

For further clarification, please refer to the following documentations:

Manage tokens for Zero Trust

Acquire and cache tokens using the Microsoft Authentication Library (MSAL)

I hope this helps resolve your issue. Feel free to reach out if you have further concerns.

Share via

How to get token from MS identity without passing a scope

Your answer