With the guest account, it is likely that token you get may not have the appropriate permissions to access the said scope. You can check the token's permissions by decoding the token using a JWT decoder such JWT decoder(https://jwt.ms/) and looking for the scp
attribute. Check for the Presence.Read
or Presence.Read.All
scope and if it does not exist, it might explain why you are running into this issue.
To remedy this issue, you need to grant the appropriate permission to the guest account. You can do this by adding the required permission in the Azure AD app registration and then granting consent to the guest account.
Here are some links to the Microsoft documentation that can help you with this:
- Grant admin consent for permissions: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
- Grant consent using the Azure portal: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#grant-consent-using-the-azure-portal