Admin-approved User.Read.All scope is not granted in the OAuth token scopes

1k Views Asked by Mugen At 27 October 2022 at 06:43

My Azure app has the scope User.Read.All approved by an admin:

I request the following scopes in my oauth registration:

scope:
  - profile
  - email
  - openid
  - offline_access
  - User.Read.All
  - Files.Read.All

And manage to successfully make the authorize call, getting the following response:

{
    "token_type": "Bearer",
    "scope": "profile email openid https://graph.microsoft.com/Files.Read.All",
    "expires_in": 3600,
    "ext_expires_in": 3600,
    "access_token": "...",
    "refresh_token": "...",
    "id_token": "..."
}

Why is User.Read.All not present in the scope of the generated token?

I also verified the token indeed doesn't grant me access to https://graph.microsoft.com/v1.0/users:

{
    "error": {
        "code": "ErrorInsufficientPermissionsInAccessToken",
        "message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",
        "innerError": { ... }
    }
}

Am I missing some configuration?

If I also request the https://graph.microsoft.com/.default permission in the scope, I do get a valid response from the /users endpoint, however it only contains my own user.

Original Q&A

There are 1 best solutions below

Mugen On 31 October 2022 at 17:19

The problems with my setup were:

Should use /organizations/ tenant instead of /common/
Should use Delegated permissions instead of Application
Specify the scope https://graph.microsoft.com/.default instead of specific graph scopes

Admin-approved User.Read.All scope is not granted in the OAuth token scopes

There are 1 best solutions below

Related Questions in MICROSOFT-GRAPH-API

Related Questions in OFFICE365

Related Questions in OFFICE365API

Related Questions in AZURE-OAUTH

Related Questions in MICROSOFT-OAUTH

Trending Questions

Popular # Hahtags

Popular Questions