Share via

I can't make application authentication with microsoft identity - Either scp or roles claim need to be present in the token.

BackNot 46 Reputation points
2023-07-03T14:08:11.07+00:00

I follow this tutorial - https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=http
If I sent request to https://login.microsoftonline.com/{tenant}/adminconsent with "common" as tenant I get error: 

AADSTS90027: We are unable to issue tokens from this API version on the MSA tenant. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.

If I sent request to
https://login.microsoftonline.com/{my-tenant-id}/v2.0/adminconsent
or

If I sent request to
https://login.microsoftonline.com/organizations/v2.0/adminconsent

Screenshot 2023-07-03 at 17.03.13

When I click accept and then sent request to oauth2/v2.0/token (with grant_type=client_credentials) I get an access token.

Later when I want to do actions with the tokens I get errors like:

/drives or /sites

Either scp or roles claim need to be present in the token

/users

Insufficient privileges to complete the operation

My application permissions:

Screenshot 2023-07-03 at 17.06.59

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,517 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
3,572 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 46,326 Reputation points
    2023-07-04T06:49:36.3733333+00:00

    Hi @BackNot

    Glad to know your issue has been resolved, I'll summarize the issue below to help members with similar issues:

    1. If your application is registered as a single-tenant application, you can only log in to users of your own tenant using the /{tenant id} endpoint or /organizations endpoint, and cannot log in to users of other tenants or MSA users using the /common endpoint.
    2. Application permissions are organization-based. When granting application permissions, static consent must be performed, i.e. the admin consent URL should be: https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}.
    3. Only global administrators can grant administrator consent, ordinary administrators or users cannot grant administrator consent.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. BackNot 46 Reputation points
    2023-07-04T04:53:16.79+00:00

    I solved it. It turns out I wasn't as big admin as I thought. I made the creator of the accounts login to:

    https://login.microsoftonline.com/my-tenant-id/adminconsent

    and then my calls to
    my-tenant-id/oauth2/v2.0/token returned a token with several roles.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.