13,721 questions
Microsoft Graph API scope/permission
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 88%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGF%3C/text%3E%3C/svg%3E)
Gustav Fasting
1
Reputation point
I have registered an app that request following scope openid profile offline_access user.read.all calendars.read tasks.readwrite calendars.readwrite.shared mail.readwrite mail.send contacts.readwrite.
When going through Microsoft identity platform authorize endpoint is it possible for a user to get an accesstoken with a different scope?
We got
-
Calendars.Read Calendars.ReadWrite.Shared Contacts.ReadWrite Mail.ReadWrite Mail.Send openid profile Tasks.ReadWrite User.Read.All email -
User.Read profile openid email -
profile openid email User.Read.All Calendars.Read Tasks.ReadWrite Calendars.ReadWrite.Shared Mail.ReadWrite Mail.Send Contacts.ReadWrite -
openid profile Calendars.Read Tasks.ReadWrite Mail.ReadWrite Mail.Send Contacts.ReadWrite
The initial scope for our application might be wrong but we are trying to configure microsoft accounts to replicate this scenario but are failing. Anyone with ideas or guidance on this problem?
"After you use the admin consent endpoint to grant admin consent, you're finished. Users don't need to take any further action. After admin consent is granted, users can get an access token through a typical auth flow. The resulting access token has the consented permissions." <-- In our case it was not
Microsoft Security Microsoft Graph
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Vicky Kumar (Mindtree Consulting PVT LTD) 1,161 Reputation points Microsoft Employee2022-10-06T07:28:59.46+00:00 As you said, you are getting different scopes every time, could you please help me to understand this ?
-
Vicky Kumar (Mindtree Consulting PVT LTD) 1,161 Reputation points Microsoft Employee
2022-10-06T07:29:22.383+00:00 As you said, you are getting different scopes every time, could you please help me to understand this ?
-
Vicky Kumar (Mindtree Consulting PVT LTD) 1,161 Reputation points Microsoft Employee
2022-10-06T07:29:33.117+00:00 As you said, you are getting different scopes every time, could you please help me to understand this ?
-
Gustav Fasting 1 Reputation point
2022-10-06T07:41:53.077+00:00 Yes somehow we are getting a response from the authorize endpoint with an accessToken that don't match the application scope. We are wondering how this is possible?
We are trying to setup new fresh microsoft organization account to replicate this behavior but do not know where to start.
The application requires admin consent, after which an admin has given consent is it possible that user within this organization can be limited to not fulfill the scope of the application but still somehow get a successful login response? -
Vicky Kumar (Mindtree Consulting PVT LTD) 1,161 Reputation points Microsoft Employee
2022-10-07T08:38:17.007+00:00 Could you please provide us the screenshot of both authorize endpoint with an accessToken scopes and application scopes
Sign in to comment
Sign in to answer