Error AADSTS650053: The application 'XXXX' asked for scope 'Exchange.Manage' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

Guillaume Dumont 0 Reputation points
2024-03-29T14:30:31.13+00:00

Hi! When I ask for the delegated permission Exchange.Manage on the url https://login.microsoftonline.com/common/oauth2/v2.0/authorize, I receive the error in this question title. The error says that the permission is asked on the Graph ressourceId, but as seen bellow, the ressourceId asked is outlook.office.com (00000002-0000-0ff1-ce00-000000000000). My application has the permission registered (see image bellow). I tryed with scope 00000002-0000-0ff1-ce00-000000000000/Exchange.Manage, ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, https://outlook.office.com/ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, etc. all with the same error.

I'm using the auth code flow on an app with certificate and no client secrets.

Note that it works when I'm granting those permissions ("https://outlook.office.com/Calendars.Read", "https://outlook.office.com/Contacts.Read", "https://outlook.office.com/Mail.Read", "https://outlook.office.com/MailboxSettings.Read") using the same code.

User's image

User's image

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,476 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,151 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,321 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Yakun Huang 80 Reputation points
    2024-04-01T08:05:39.0766667+00:00

    Hi @Guillaume Dumont,

    Since the permission that need to be granted Exchange.Manage are not permission for Microsoft Graph, it cannot be granted through a browser when granting that permission, only in the portal.

    Like this:1

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. Navya 3,600 Reputation points Microsoft Vendor
    2024-04-01T12:55:29.45+00:00

    Hi @Guillaume Dumont

    Thank you for posting this in Microsoft Q&A.

    A token can be acquired for multiple scopes if all those scopes belong to same resource. For example, in a single request you can acquire token for openid and offline_access scopes because they are part of Graph API resource. Exchange.Manage scope belongs to Microsoft 365 Mail API resource. To acquire token for your API, you will need to make a separate request as it is a completely different resource.

    In my environment, I successfully obtain the authorization code by making a below HTTP request.Please attempt the HTTP request mentioned below and inform me of any difficulties you encounter by providing a response through comments.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
    client_id=93f3-e20de961633b
    &response_type=code
    &redirect_uri=
    https://login.microsoftonline.com/common/oauth2/nativeclient
    &response_mode=query
    &scope=Exchange.Manage (or) https://outlook.office.com/Exchange.Manage
    

    Authorization code:User's image

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


  3. Jack Hammond 0 Reputation points
    2024-04-15T15:35:35.8433333+00:00

    I've recently come across this issue as well and can confirm the behaviour is the same. When I add the Exchange.Manage permission to my application and I do not pre-approve then I get the error. If I approve then it works and I can see the claim is added to the JWT scopes once I complete the token exchange.

    This is will be a problem for us as the whole idea we are currently developing against is that an administrator can just be prompted to approve using the usual consent flow after which we can then use the JWT to carry out actions on their behalf and having to pre-approve completely breaks this flow.

    Is there any idea on when this might be fixed?

    0 comments No comments