Error AADSTS650053: The application 'XXXX' asked for scope 'Exchange.Manage' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

Question

Error AADSTS650053: The application 'XXXX' asked for scope 'Exchange.Manage' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

Guillaume Dumont 30

Hi! When I ask for the delegated permission Exchange.Manage on the url https://login.microsoftonline.com/common/oauth2/v2.0/authorize, I receive the error in this question title. The error says that the permission is asked on the Graph ressourceId, but as seen bellow, the ressourceId asked is outlook.office.com (00000002-0000-0ff1-ce00-000000000000). My application has the permission registered (see image bellow). I tryed with scope 00000002-0000-0ff1-ce00-000000000000/Exchange.Manage, ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, https://outlook.office.com/ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, etc. all with the same error.

I'm using the auth code flow on an app with certificate and no client secrets.

Note that it works when I'm granting those permissions ("https://outlook.office.com/Calendars.Read", "https://outlook.office.com/Contacts.Read", "https://outlook.office.com/Mail.Read", "https://outlook.office.com/MailboxSettings.Read") using the same code.

User's image

Accepted answer

1 additional answer

Your answer

Answer 1

Navya 17,820 Microsoft External Staff

Hi @Guillaume Dumont

Thank you for posting this in Microsoft Q&A.

A token can be acquired for multiple scopes if all those scopes belong to same resource. For example, in a single request you can acquire token for openid and offline_access scopes because they are part of Graph API resource. Exchange.Manage scope belongs to Microsoft 365 Mail API resource. To acquire token for your API, you will need to make a separate request as it is a completely different resource.

In my environment, I successfully obtain the authorization code by making a below HTTP request.Please attempt the HTTP request mentioned below and inform me of any difficulties you encounter by providing a response through comments.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=93f3-e20de961633b
&response_type=code
&redirect_uri=
https://login.microsoftonline.com/common/oauth2/nativeclient
&response_mode=query
&scope=Exchange.Manage (or) https://outlook.office.com/Exchange.Manage

Authorization code: User's image

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Guillaume Dumont 30 Reputation points

2024-04-02T13:45:21.3933333+00:00

Hi! This seems to work if you already have the permission granted. Also, you can ask for multiple ressources on the /authorize branch. My usecase is a end user trying to use a new app on his behalf. A new permission grant is where the error occurs, only for this specific permission. All my other permissions calls are working (with multiple ressources like Teams and Partner Center). I think it's a bug in the openid flow since the error message points this permission (Exchange.Manage) to be for the Graph ressource.
Navya 17,820 Reputation points Microsoft External Staff

2024-04-04T13:13:29.0366667+00:00

Hi Guillaume Dumont

Thank you for your response. Yes, it looks like it only works when we give permission. I tried testing it without giving permissions and found the same error you're experiencing. I will check with my internal team and will get back to you.
Navya 17,820 Reputation points Microsoft External Staff

2024-04-12T11:22:24.0933333+00:00

Hi Guillaume Dumont

I have checked with my internal team and we consider this issue as a bug. We have raised a ticket to the product team. They will be working on it.

Thanks,

Navya.
Jack Hammond 0 Reputation points

2024-04-15T15:35:35.8433333+00:00

I've recently come across this issue as well and can confirm the behaviour is the same. When I add the Exchange.Manage permission to my application and I do not pre-approve then I get the error. If I approve then it works and I can see the claim is added to the JWT scopes once I complete the token exchange.

This is will be a problem for us as the whole idea we are currently developing against is that an administrator can just be prompted to approve using the usual consent flow after which we can then use the JWT to carry out actions on their behalf and having to pre-approve completely breaks this flow.

Is there any idea on when this might be fixed?
Jack Hammond 0 Reputation points

2024-05-08T10:29:39.5+00:00

Hi Navya, do we have any idea when this is going to be fixed, nearly a month on from it being initially being reported and this still seems to be occurring which is starting to impact some of our users.
EnterpriseArchitect 5,761 Reputation points

2024-07-10T07:49:48.81+00:00

@Guillaume ,
How to execute that script you've suggested?

Answer 2

Yakun Huang 85

Hi @Guillaume Dumont,

Since the permission that need to be granted Exchange.Manage are not permission for Microsoft Graph, it cannot be granted through a browser when granting that permission, only in the portal.

Like this:

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Guillaume Dumont 30 Reputation points

2024-04-02T13:52:41.09+00:00

Hi, it is possible to grant permissions that are not for Microsoft Graph. Here's an exemple with partner center. The consent flow is available for every permissions.
Yakun Huang 85 Reputation points

2024-04-08T01:36:55.0033333+00:00

Hi Guillaume Dumont

Thank you for your response. Yes, the consent flow is available for every permission. However, after testing, when granting the Exchange.Manage permission, there will be an error when using the consent flow, and the current solution uses the portal to grant permissions.

Share via

Error AADSTS650053: The application 'XXXX' asked for scope 'Exchange.Manage' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

1 additional answer

Your answer