Error AADSTS650053: The application 'XXXX' asked for scope 'Exchange.Manage' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

Question

Hi! When I ask for the delegated permission Exchange.Manage on the url https://login.microsoftonline.com/common/oauth2/v2.0/authorize, I receive the error in this question title. The error says that the permission is asked on the Graph ressourceId, but as seen bellow, the ressourceId asked is outlook.office.com (00000002-0000-0ff1-ce00-000000000000). My application has the permission registered (see image bellow). I tryed with scope 00000002-0000-0ff1-ce00-000000000000/Exchange.Manage, ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, https://outlook.office.com/ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, etc. all with the same error.

I'm using the auth code flow on an app with certificate and no client secrets.

Note that it works when I'm granting those permissions ("https://outlook.office.com/Calendars.Read", "https://outlook.office.com/Contacts.Read", "https://outlook.office.com/Mail.Read", "https://outlook.office.com/MailboxSettings.Read") using the same code.

Answer 1

Hi @Guillaume Dumont

Thank you for posting this in Microsoft Q&A.

A token can be acquired for multiple scopes if all those scopes belong to same resource. For example, in a single request you can acquire token for openid and offline_access scopes because they are part of Graph API resource. Exchange.Manage scope belongs to Microsoft 365 Mail API resource. To acquire token for your API, you will need to make a separate request as it is a completely different resource.

In my environment, I successfully obtain the authorization code by making a below HTTP request.Please attempt the HTTP request mentioned below and inform me of any difficulties you encounter by providing a response through comments.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=93f3-e20de961633b
&response_type=code
&redirect_uri=
https://login.microsoftonline.com/common/oauth2/nativeclient
&response_mode=query
&scope=Exchange.Manage (or) https://outlook.office.com/Exchange.Manage

Authorization code:

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Answer 2

Hi @Guillaume Dumont,

Since the permission that need to be granted Exchange.Manage are not permission for Microsoft Graph, it cannot be granted through a browser when granting that permission, only in the portal.

Like this:

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 3

I've recently come across this issue as well and can confirm the behaviour is the same. When I add the Exchange.Manage permission to my application and I do not pre-approve then I get the error. If I approve then it works and I can see the claim is added to the JWT scopes once I complete the token exchange.

This is will be a problem for us as the whole idea we are currently developing against is that an administrator can just be prompted to approve using the usual consent flow after which we can then use the JWT to carry out actions on their behalf and having to pre-approve completely breaks this flow.

Is there any idea on when this might be fixed?