GET https://graph.microsoft.com/v1.0/users/56bfd9cb-... in Graph Explorer

Question

When I try to get user in Graph Explorer

GET https://graph.microsoft.com/v1.0/users/56bfd9cb-... in Graph Explorer

In "Modify Permissions"

I have a permission N/A

If I click "Consent"

I get the error:

Sorry, but we’re having trouble signing you in.

AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope N/A openid profile offline_access is not valid. The scope format is invalid. Scope must be in a valid URI form https://example/scope or a valid Guid <guid/scope>.

My user has the following Administrative Roles:

Global Administrator

Security Administrator

Security Reader

What is missing?

Now, when I try to PATCH the user,

I get the return:

"error": {
        "code": "ErrorMethodNotAllowed",
        "message": "The method or operation is not allowed.",
...

After this question solved I intend to create extension attributes to Add custom data

Thank You Very much

Answer 1

The error message "The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid." suggests that the consent is being requested for a scope that is not defined or recognized. The "N/A" value for the permission could be the reason for this error.

To resolve this issue, you need to provide a valid scope in the request for consent. The scope defines the permissions that your application needs to access the user's data. The scope must be a valid URI format, such as "https://graph.microsoft.com/User.Read".

Regarding the error "The method or operation is not allowed" while trying to PATCH the user, this could be because the user does not have sufficient permissions to perform the PATCH operation. The roles you mentioned (Global Administrator, Security Administrator, and Security Reader) should provide the necessary permissions, but it is also possible that there may be other factors affecting the ability to perform the operation, such as policy restrictions.

To create extension attributes, you will need to use the Microsoft Graph API to programmatically create and manage the attributes. You can refer to the Microsoft Graph API documentation for more information on how to create and manage extension attributes: https://docs.microsoft.com/en-us/graph/api/resources/extension-properties?view=graph-rest-1.0

Answer 2

Hello @PauloMatos

Thanks for reaching out!

It seems there is an issue with your Azure AD security token. Your token doesn't have right permissions to access the API. The scope is invalid. I would suggest you use Postman with re-generated token after consenting the required permissions. Please refer this documentation to know about the required permissions to execute Get user endpoint. Please note that if you are using a Microsoft personal account and trying to update the params of users using delegate permissions, in that case your personal account needs to be tied to an AAD account.

Refer: Get- User, Update-User, Authentication & Authorization

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.