We have a mail integration for MS mailboxes and we use MS Graph API for our integration. We have created an OAuth app and the right Mail scopes have been added to the app, while generating the access token we use the v2 OAuth endpoint mentioned in MS doc with .default scope.
The integration works fine for most cases but sometimes when a new user grants permission to the app, and we immediately generate access token using the refreshToken the scope contains only 1-2 scopes and the remaining scopes are missing from the token.
This is temporary and on further retry all the scopes are returned in the accessToken and we are able to access the mailbox. Is this due to some replication delay in MS end?
Here is the response for once such error :
AADSTS65001: The user or administrator has not consented to use the application with ID {'appID'} named {'appName'}. Send an interactive authorization request for this user and resource.
Trace ID: fc857dc7-0964-417e-9c3d-e23a3c0f9d00
Correlation ID: c9da409c-f988-4045-95b9-0a71113fdcdd
Timestamp: 2023-02-01 13:03:03Z
Scopes Granted to the application :
openid
profile
email
EWS.AccessAsUser.All
SMTP.Send
User.Read
Mail.ReadWrite
Mail.ReadWrite.Shared
Mail.Send
Mail.Send.Shared
Scopes Missing in Access token :
Mail.Send
PS : We use delegated access for the mailbox and token has offline access, also the userConsent flow is fine .
I tried to reproduce the same in my environment and got the results successfully as below:
I created an Azure AD Application and added API permissions:
I generated auth-code by using below endpoint:
I generated the access token using below parameters:
I agree with @junnas, the issue occurred due to the replication delay of 1 or 2 sec in reflecting the scopes. When I decoded the access token, all the scopes are included like below: