When using the defaultTenantClient all works well. There's no access unauthorized.

When using an ApiClient app which only has t.authenticate then, the token doesn't get all user privileges.

Posting with grant_type jwt bearer and assertion user_id_token. The only difference seems to be the privileges of the app used.

The failing using an API client app with only t.authenticate result in the following token scope:

  {

      [...omitted for brevity...]
  
      "azserver-token-ext-tokenScopes":"urn:iam:m.me urn:iam:t.authenticate",

      [...omitted for brevity...]
      
  }

The working using the defaultTenantClient app results in the following token scope:  

  {

      [...omitted for brevity...]
  
      "azserver-token-ext-tokenScopes":"urn:iam:t.userpasswordadmin urn:iam:m.me urn:iam:t.all",

      [...omitted for brevity...]

  }

As per documentation, the when using the API to configure the application, the option set "Client can act on-behalf-of a user" to get the administrative permissions (1).

The defaultTenantClient doesn't need the on-behalf-of since it has the t:all privileges so the intersection of client/user privileges results in the right set as if it's acting like on-behalf-of.

With a client that only has t:authenticate - the intersection doesn't have privileges in common, so, it gets nothing unless the flag is set to say to just look at ONLY the user side.

Check the "Client can act on behalf of a user" parameter to solve the issue.

1. Allowed Operations