![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 41%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECP%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Chris Peacock , Inorder to this, you would need to provide the scope parameter with value "directory.read.all" while requesting a code/token from AAD, based on the OAuth flow you are using in your code.
For eg: In case you are using Client Credential Flow of OAuth, then you would need to specify the scope parameter with the value "directory.read.all" and send that request to the /token endpoint of AAD. But, in case you are using Authorization Code Grant Flow, then you need to specify the scope parameter with the value "directory.read.all" and send that request to the /authorize endpoint of AAD.
Note: While using the scope parameter, you would have to make the request to the v2.0 endpoint of AAD.
Sharing the sample requests for Authorization Code Grant Flow of OAuth2.0:
Sample Request 1: https://login.microsoftonline.com/soumimsft.onmicrosoft.com/oauth2/v2.0/authorize?client_id={client ID of the app}&response_type=code&redirect_uri={app's redirect uri}&response_mode=fragment&scope=directory.read.all&state=12345
Note: It should be &scope=directory.read.all in the request after response_mode=fragment. Somehow scope is getting listed as >ope.
Incase you want to use the v1.0 endpoint, then you need to make sure that you have added the permission "directory.read.all" in the app registration's API permissions section and then you can use the request listed below:
Sample Request 2: https://login.microsoftonline.com/soumimsft.onmicrosoft.com/oauth2/authorize?client_id={client ID of the app}&response_type=code&redirect_uri={app's redirect uri}&response_mode=fragment&resource={resource name for which the code is being requested for. Eg: https://graph.microsoft.com}&state=12345&nonce=12345
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.