How to deal with a mismatch in application rights scopes and MS account in MS Graph API? (Mail.ReadWrite; AADSTS650053)

Question

How to deal with a mismatch in application rights scopes and MS account in MS Graph API? (Mail.ReadWrite; AADSTS650053)

Axel von Leitner 0

We've developed an APP using the MS Graph API and while using our app with private office365 accounts we're experiencing an issue with our small business account. It seems the organisation is not granting the necessary rights.

The full message we're seeing reads:

AADSTS650053: The application 'CentralStationCRM' asked for scope 'Mail.ReadWrite ' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: e1e4291b-9f2c-4202-8ac1-f0c82dd18f00 Correlation ID: e3e57014-ef1b-4e9b-8288-5668a4ffd025 Timestamp: 2023-03-31 12:44:41Z

Attached I've added screens of the user admin view and the admin panel of our application (as far as I understand it).

Bildschirmfoto 2023-03-31 um 14.58.52.png

Bildschirmfoto 2023-03-31 um 14.57.59.png

1 answer

Your answer

Answer 1

Hello Axel von Leitner,

Thanks for posting!

Generally, this error comes when the application doesn't have the required scope on the resource.

The Mail.ReadWrite permissions exists as both delegated as well as application permission. Please ensure you have consented the correct set of permissions in Azure AD application based on the authentication flow. Refer Mail permissions.

Secondarily, in case you are using auth URL like this: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=%@&scope=%@&response_type=code&redirect_uri=%@, then you have to separate the scopes using a space rather than a comma. When using multiple scopes in the authentication request, the scopes must be separated with a space. Otherwise, it'll treat all the scopes as a single string " mail.readwrite,User.Read,offline_access " and doesn't match with any of the scopes added to the application. If you separate the scopes using space, mail.readwrite User.Read offline_access the scopes won't be concatenated and will be treated as individual scopes.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

Axel von Leitner 0 Reputation points

2023-04-03T11:11:22.84+00:00

Hey & thanks for your quick reply!

The Mail.ReadWrite permissions exists as both delegated as well as application permission. Please ensure you have consented the correct set of permissions in Azure AD application based on the authentication flow. Refer Mail permissions.

=> We double checked the permissions and added the application rights. So far we've only had the delegated ones. Now it looks like this:

Bildschirmfoto 2023-04-03 um 12.58.46.png

However after clicking the link to setup the integration via oauth, we're still getting this error message when being redirected from the office site:

AADSTS650053: The application 'CentralStationCRM' asked for scope 'Mail.ReadWrite ' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor. Trace ID: 9cdf63f1-3f8f-4890-b1e1-b55b977c4100 Correlation ID: 47a45368-f69c-41d7-935c-0d25ce430c8e Timestamp: 2023-04-03 11:02:25Z

Bildschirmfoto 2023-04-03 um 13.06.13.png

Regarding your second idea: We're not sending the scopes comma separated + it works with a private outlook account. We're only seeing the issue with business accounts.

Share via

How to deal with a mismatch in application rights scopes and MS account in MS Graph API? (Mail.ReadWrite; AADSTS650053)

1 answer

Your answer