Share via

Microsoft Graph API missing permissions / scopes on consent screen

JO-5324 81 Reputation points
2023-03-14T06:08:52.6033333+00:00

Problem:

The app usually requests the following permissions, which works fine.

  • 'offline_access'
  • 'MailboxSettings.Read'
  • 'Mail.ReadWrite.Shared'
  • 'Mail.Send.Shared'
  • 'User.Read'

There is one user (free MS account) who's consent screen only shows and requests the following permissions:

  • 'offline_access'
  • 'User.Read'

As you can see, all the Mail scopes are missing.

Solutions / thoughts:

The app does not use incremental authorization, so all permissions are requested at the beginning.

Within Microsoft Azure > App registration: the following supported account type is chosen "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers."

As stated above other organizational and personal accounts usually work fine.

Microsoft Security Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2023-03-14T07:48:14.27+00:00

    Scopes such as 'Mail.Send.Shared' are not available for personal Microsoft IDs. Read for example here: https://learn.microsoft.com/en-us/graph/permissions-reference#delegated-permissions-44

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.