Invalid instructions for manual app registration creation

[john-gros]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. [ ] with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. [ ] with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. [ ] with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. [ ] with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. [ ] with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. [ ] Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. [ ] With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. [ ] Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. [ ] Web app calling several APIs 3-WebApp-multi-APIs
4. [ ] Web app calling your own Web API
   1. [x] with a work and school account in your organization: 4-WebApp-your-API/4-1-MyOrg
   2. [ ] with B2C users: 4-WebApp-your-API/4-2-B2C
   3. [ ] with any work and school account: 4-WebApp-your-API/4-3-AnyOrg
5. Web app restricting users
   1. [ ] by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. [ ] by Groups: 5-WebApp-AuthZ/5-2-Groups
6. [ ] Deployment to Azure
7. [ ] Other (please describe)

Repro-ing the issue

Repro steps

Clone the repo and follow the instructions to use the 4-1 sample using the manual steps provided (do NOT use the automation scripts).

Expected behavior

The Client Web App allows you to manage the ToDo list through the Service App.

Actual behavior

The Service App returns a 403 Forbidden.

Possible Solution

In the instructions provided under "Register the service app" (step 2), at 6. Expose an API, the only scope to register is user_impersonation but the automation script produces the scopes ToDoList.Read and ToDoList.Write which are also used in the Service App's controller.

Manually replacing (in Azure and in the Client App's appsettings) the scope given in the instructions by the two others do fix this issue.

Additional context/ Error codes / Screenshots

Any log messages given by the failure

Add any other context about the problem here, such as logs.

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 10

Versions

ASP.NET Core 6

Attempting to troubleshooting yourself:

• did you go through the README.md in the folder where you found the issue? Yes, this issue is about fixing it.
• did you go through the documentation:
  • Scenario: Web app that signs in users
  • Scenario: Web app that calls web APIs

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[jmprieur]

@kalyankrishna1 : can you or your team please have a look?

[aremo-ms]

@john-gros We recently updated the Manual instructions. Could you please review once again and let me know? We tested the new instructions few times and they should suffice now. Waiting for your response

Alex