This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I'm trying to implement MSAL login in an app and it needs a profile picture. When trying to get it via https://graph.microsoft.com/me/photo/$value, I get the following response:
{"error":{"code":"ErrorInsufficientPermissionsInAccessToken","message":"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.","innerError":{"date":"redacted","request-id":"redacted","client-request-id":"redacted"}}}
According to the API reference linked above, getting the profile picture for an account requires the User.Read permission (for access with least priveliges). I do obtain the pernission, and the consent screen agrees.
Just to make sure, I did test switching this out for User.Read.All and this made no difference.
What do I do to stop this exception happening?
@⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Thank you for your detailed post and I apologize for the delayed response!
Any additional information would be greatly appreciated!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Hi! Sorry about the wait. Here are the answers you requested:
Clients must treat access tokens as opaque strings because the contents of the token are intended for the API only. For validation and debugging purposes only, developers can decode JWTs using a site like jwt.ms. Tokens that are received for a Microsoft API might not always be a JWT and can't always be decoded.
Hope this helps!
@⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Thank you for the quick follow up on this and I apologize for the delayed response!
I walked through the Node.js Tutorial that you shared and wasn't able to reproduce your access token error message. It seems like my Graph API request process.env.GRAPH_API_ENDPOINT + "v1.0/me/photo/$value" within the authConfig.js file isn't running into any issues with the HTTP request itself, but I am running into an issue with my profile.hbs view not displaying what's returned.
Test sign in and call Microsoft Graph
I've reached out to my team regarding this issue and since the contributors within the GitHub sample are internal, I've also reached out to them as well.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Thank you for your time and patience throughout this issue!
https://jwt.ms/, are you using an MSA or personal account? fetch.js file. I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Hey,
My apologies for the delay! I was meaning to respond but I didn't for a while. Thanks for reminding me.
As for the questions:
@2756353
Thank you for following up on this and I'm glad that you're going to try restarting your project with MSAL.
If you run into any issues or resolve your issue, please let me know!
Thank you for your time and patience throughout this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Could you please try to check the scopes by decoding access token in https://jwt.ms/ and make sure you have User.Read.All, application permissions,
please see the docs - https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
Hope this helps
Thanks
It appears my access token is not in the format of a JWT. I can use it in Graph requests, but part of the documentation does state that access tokens do not need to be possible to decode on the client's side, and I believe this is one of those cases.
I have tested /me alone and it does appear I can't access anything under it, even when requesting User.Read.All.