AccessDenied - Either scp or roles claim need to be present in the token.

Question

The Cloud engineer in our organization created an app with these delegated permissions for me: Sites.Read.All, Sites.Manage.All & Files.ReadWrite.All

I've been trying to work in Postman with the client_id, tenant_id and secret given to me, but I need help getting a proper auth token. What am I doing wrong?

Answer 1

Hello Ronaldo Resende (OMG),
Thank you for your post in this Q&A forum.

It seems like the token as you generated is a application token but you have only assigned delegated permissions. Please check your token, you can copy your token and past it to JWT.MS. for application token the permissions will show under roles and for delegated token, permissions will show under scp.
Something like, scp;- AccessReview.Read.All, AuditLog.Read.All....
If the token shows roles, you need to generate delegate access token then authenticate.

auth.png

Hope that helps.

Thanks
--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Hi @Ronaldo Resende (OMG)

Delegated permissions do not support the daemon-based client credential credential flow, so it does not map into the access token.

Delegated permissions are only available in a delegated authentication flow, so you should use a delegated authentication flow to obtain an access token, such as the auth code flow or ROPC flow.

Parse the access token and you'll be able to see the delegated permissions you granted in the scp claim:

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.