4.11.3 Acquiring an AAD Nonce

The client MUST acquire a fresh AAD Nonce from the Azure AD Authority during every RDS AAD Auth handshake. To accomplish this the client must send a "POST" HTTP request to the Token endpoint on an Azure AD Authority server. The Azure AD Authority hostname depends on the cloud being used. For the Microsoft Public Cloud the hostname is "login.microsoftonline.com".

The request content must be set to "grant_type=srv_challenge".

If the request succeeds, the response content will contain the JSON message:

 {
     "Nonce":"<aad_nonce>"
 }

Where aad_nonce is the AAD Nonce.

Example HTTP request:

 POST /common/oauth2/token HTTP/1.1
  
 Host: login.microsoftonline.com
 Content-Length: 24
  
 grant_type=srv_challenge

Example HTTP response (line breaks added and some values truncated for readability):

 HTTP/1.1 200 OK
 ...<truncated>
 Content-Length: 139
  
 {
     "Nonce":"AwABA...<truncated>"
 }