This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 79%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOB%3C/text%3E%3C/svg%3E)
I want to read and upload documents to Sharepoint using Graph API. I followed this guide https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=http
I have a Single tenant application. I added Sites.ReadWrite.All application permission and got a consent from admin:
Now I'm testing this integration the same way as in the guide:
curl --location --request POST "https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "client_id=${CLIENT_ID}" \
--data-urlencode "scope=https://graph.microsoft.com/.default" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode "grant_type=client_credentials"
Response contains access token, but I can not find "scp" or "roles" scopes after decoding it.
And of course the next request which includes this token returns an error:
curl --request GET "https://graph.microsoft.com/v1.0/sites/root" \
--header "Authorization: Bearer ${ACCESS_TOKEN}" \
--data ""
Response:
{"error":{"code":"AccessDenied","message":"Either scp or roles claim need to be present in the token.","innerError":{"date":"2024-04-04T13:37:12","request-id":"a88a29e8-46e6-4c90-a742-4b8203bd6cbe","client-request-id":"a88a29e8-46e6-4c90-a742-4b8203bd6cbe"}}}
What am I doing wrong? I've read a dozen similar questions but couldn't find an solution yet.
Hi @Oleg Beloglazov
You grant the "Sites.ReadWrite.All" application permission under the SharePoint REST API and not under the Graph API, so the permission is not synced into the Graph API token.
Now you just need to grant this permission under the Graph API:
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Hi @Oleg Beloglazov
Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!
Hi @Oleg Beloglazov
Hope things are going well. I am writing to see if the above suggestions help. If there's anything else we can help, feel free to let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 76%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
I am getting the same error after having granted all the correct permissions including: "Sites.ReadWrite.All"
{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"date": "2024-06-04T21:44:28",
"request-id": "xxxxxxxxxxxxxxxxxxxxx",
"client-request-id": "xxxxxxxxxxxxxxxxxxxxxxx"
}
}
}