GraphServiceClient error: Either scp or roles claim need to be present in the token.

Emerson Brito 21 Reputation points
2024-01-12T16:14:48.25+00:00

A bit of context: My goal is to have an app running on Azure that will eventually access SharePoint sites in different tenants. The idea is that once authorized, this app will connect to all tenants using the same app id and secret. A multi-tenant app.

With that said, when I try to use the GraphServiceClient to connect to a SharePoint site I get the following error: Either scp or roles claim need to be present in the token.

For now, all tests are being conducted in the same tenant where the app registration was created.

Here is the code:

var clientId = "[MY_APP_ID]]";
var secret = "[MY_APP_SECRET]";     
var tenantId = "common";     
var scopes = new[] { "https://graph.microsoft.com/.default" };     
var sharePointSiteId = "[SHAREPOINT_SITE_ID]";      

var options = new ClientSecretCredentialOptions     
{         
	AuthorityHost = AzureAuthorityHosts.AzurePublicCloud     
};      

var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, secret, options);      

// this was just a test, we do get a token back     
var accessToken = await clientSecretCredential.GetTokenAsync(new TokenRequestContext(scopes)); 
     
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);      

// this line will throw this error:     
// Either scp or roles claim need to be present in the token. 
     
var drives = await graphClient.Sites[sharePointSiteId].Drives.GetAsync();      

// this is just for testing purposes since our goal is SharePoint
// if I comment the previous line, this one will be reached     
// and will throw the following error:     
// The identity of the calling application could not be established.      

var users = await graphClient.Users.GetAsync();

My setup:

The app is registered as a multi-tenant.

User's image

It has the following listed under API Permissions:

User's image

Once the app registration was done, I used the following link to get to grant consent (in an attempt to reproduce the steps from future users):

https://login.microsoftonline.com/[MY_TENANT_ID]/adminconsent?client_id=[MY_APP_ID]

I got the expected consent window and it appears to have worked well.

SharePoint Site Permissions

To grant the required permissions to the SharePoint site, I went to:

https://developer.microsoft.com/en-us/graph/graph-explorer

There, I changed to method to POST and used the following URL:

https://graph.microsoft.com/v1.0/sites/[MY_SITE_ID]/permissions

With the request body:

{
  "roles": ["read","write"],
  "grantedToIdentities": [{
    "application": {
      "id": "[APP_ID]",
      "displayName": "[APP_DISPLAY_NAME]"
    }
  }]
}

Thanks in advance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,043 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 42,031 Reputation points
    2024-01-15T06:35:19.6+00:00

    Hi Emerson Brito,

    The common endpoint is only applicable to delegated context. Do not use the common endpoint in the client credentials flow because it is an unattended authentication flow.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Saman Guruge-MSFT 80 Reputation points Microsoft Vendor
    2024-01-13T20:30:30.98+00:00

    Hi Emerson Brito,

    It seems that you are missing permission scopes. Please try enabling the following scopes:

    • Sites.Read.All: Read the lists on the SharePoint root site.
    • Sites.ReadWrite.All: Create new list items in a SharePoint list. You can find more information about Microsoft Graph API permission scopes in the Microsoft Graph permissions reference.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment"


  2. Deepika Kumari 0 Reputation points
    2024-06-17T06:02:44.54+00:00

    is it necessary to Ensure that the appropriate Application permissions (i.e., Sites.Read.All and Sites.ReadWrite.All) is added to my app registration in Azure AD, and have granted admin consent for these permissions.

    I am able to get bearer token using Microsoft Graph API by passing clientID, clientSecret and TenantID to the authority_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/token". However I am unable to get the SiteID using same bearer token.

    Error: {'error': {'code': 'AccessDenied', 'message': 'Either scp or roles claim need to be present in the token.', 'innerError': {'date': '2024-06-14T18:47:27', 'request-id': 'ccdbcfac-ab22-403f-b0cb-7a12d0b82d2c', 'client-request-id': 'ccdbcfac-ab22-403f-b0cb-7a12d0b82d2c'}}}.

    Please help. Thank you!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.