Office 365 Exchange Online Exchange.Manage scope cannot add to Graph API scopes in OAuth Link

Jay 40 Reputation points
2023-10-27T13:19:19.83+00:00

In the OAuth link using authorization code flow, unable to pass any permissions from Office 365 Exchange Online API or for that matter any other permission that doesn't belong to Microsoft Graph API in the scopes parameter of the OAuth link.

For example, this is the OAuth link :-

login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXXXXXXXXX&response_type=code&redirect_uri=https%3A//google.com&response_mode=query&state=12345&prompt=consent&scope=offline_access%20AuditLog.Read.All%20Policy.Read.All%20Directory.Read.All%20IdentityProvider.Read.All%20Securityevents.Read.All%20ThreatIndicators.Read.All%20SecurityActions.Read.All%20User.Read.All%20UserAuthenticationMethod.Read.All%20MailboxSettings.Read%20DeviceManagementManagedDevices.Read.All%20DeviceManagementApps.Read.All%20UserAuthenticationMethod.ReadWrite.All%20DeviceManagementServiceConfig.Read.All%20DeviceManagementConfiguration.Read.All%20Organization.Read.All%20Exchange.Manage

 

It throws the following error

error=invalid_client&error_description=AADSTS650053%3A+The+application+%27AZTest%27+asked+for+scope+%27Exchange.Manage%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0D%0ATrace+ID%3A+02c24508-4948-4e3d-a79f-e19341c0ca00%0D%0ACorrelation+ID%3A+057133e4-9566-4263-87aa-a4328fbdedd8%0D%0ATimestamp%3A+2023-10-25+10%3A12%3A28Z&state=12345

Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,520 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 105.7K Reputation points MVP
    2023-10-27T15:25:16.68+00:00

    Exchange.Manage is a scope for the Exchange Online API (with resource ID of 00000002-0000-0ff1-ce00-000000000000, https://outlook.office.com), not the Graph API (00000003-0000-0000-c000-000000000000). So that's the expected behavior.

    To resolve the error, update your resource value. Do note that you cannot use a single request to obtain access tokens for multiple resources, one request per resource will do.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.