How to deal with a mismatch in application rights scopes and MS account in MS Graph API? (Mail.ReadWrite; AADSTS650053)

Axel von Leitner 0 Reputation points
2023-03-31T13:01:50.7433333+00:00

We've developed an APP using the MS Graph API and while using our app with private office365 accounts we're experiencing an issue with our small business account. It seems the organisation is not granting the necessary rights.

The full message we're seeing reads:

AADSTS650053: The application 'CentralStationCRM' asked for scope 'Mail.ReadWrite ' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: e1e4291b-9f2c-4202-8ac1-f0c82dd18f00 Correlation ID: e3e57014-ef1b-4e9b-8288-5668a4ffd025 Timestamp: 2023-03-31 12:44:41Z

Attached I've added screens of the user admin view and the admin panel of our application (as far as I understand it).

Bildschirm­foto 2023-03-31 um 14.58.52.png

Bildschirm­foto 2023-03-31 um 14.57.59.png

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,818 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. HarmeetSingh7172 4,811 Reputation points
    2023-03-31T21:39:02.85+00:00

    Hello Axel von Leitner,

    Thanks for posting!

    Generally, this error comes when the application doesn't have the required scope on the resource.

    The Mail.ReadWrite permissions exists as both delegated as well as application permission. Please ensure you have consented the correct set of permissions in Azure AD application based on the authentication flow. Refer Mail permissions.

    Secondarily, in case you are using auth URL like this: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=%@&scope=%@&response_type=code&redirect_uri=%@, then you have to separate the scopes using a space rather than a comma. When using multiple scopes in the authentication request, the scopes must be separated with a space. Otherwise, it'll treat all the scopes as a single string " mail.readwrite,User.Read,offline_access " and doesn't match with any of the scopes added to the application. If you separate the scopes using space, mail.readwrite User.Read offline_access the scopes won't be concatenated and will be treated as individual scopes.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.