Here are some suggestions you can check. The exposed API

api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws is different from what I can see on the error message api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal.

Make sure you are exposing a correct address.

If you use encodeURIComponent() on the entire scope, the slashes (/) will be encoded, which may cause Azure to misinterpret the scope. you can try it like :

"scope=" + encodeURIComponent("api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws")

or just hard code it for testing, like:

"scope=api://6ea427d1-d3f6-479c-8cc8-f4cb73278354/portal/aws"

In your error message, stated tenant mismach.

• Make sure the correct tenant ID is used in the authentication request.

• If your app is multi-tenant, ensure that it is properly set up for external tenants.

• The tenant ID should be correct in your Azure endpoint: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize.

Also, make sure that the API permission is consented for users. If not, try granting Admin Consent in Azure Portal under API Permissions.

Plus, When requesting a token, ensure that you are requesting Delegated Permissions under API Permissions and that they match what is configured under Expose an API.

Verify that the scope is set under Expose an API. Make sure the Client ID matches the registered application. Check if the Application ID URI (api://{client-id}) is correctly set in Expose an API.

You can also log your scope before redirecting and make sure the scope is set correctly: console.log("Requested Scope: ", scopeName);.

If still you couldn't spot the issue, please provide more information.

Good luck.