Microsoft Universal Print: The token does not have one or more required security scopes. Client Credentials Flow

Question

Hi,

I am working with a solution where a client needs to use Microsoft Universal Print. I am using Microsoft Graph and the client credentials flow. After getting the access token via the credentials instance I have the following error upon making a request to the Graph api: The token does not have one or more required security scopes..

Using the jwt debugger bellow I see no roles claim that I have understood that it should contain.

Questions:

1, Do anyone have a tip on how to overcome this problem?

2, If I understand the documentation of GetTokenAsync correctly the result is cached in the cliet on created with the clientSecretCredential as input?

3, I should not need to assign the token anywhere (the client or options object does not contain any property for it as I understand)?

Bellow is an example of the code that creates a Microsoft graph client. Please note that I do call GetAccess token also just for myself to be able to compare the tokens, just to make sure there are no difference then it comes to the roles claim.

public MicrosoftGraphClient()

{

    try

    {

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: Configuring Graph client, tenantId {azureTenantId} clientId {azureClientId}");

        //accessToken = GetAccessToken();

        var scopes = new[] { "https://graph.microsoft.com/.default" };

        // Multi-tenant apps can use "common",

        // single-tenant apps must use the tenant ID from the Azure portal

        // using Azure.Identity;

        var options = new ClientSecretCredentialOptions

        {

            AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,

        };

        // https://learn.microsoft.com/dotnet/api/azure.identity.devicecodecredential

        var clientSecretCredential = new ClientSecretCredential(azureTenantId, azureClientId, azureClientSecret, options);

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: Got Token {clientSecretCredential.GetTokenAsync(new Azure.Core.TokenRequestContext(scopes)).Result.Token}");

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: Got Token {GetAccessToken()}");

        GraphClient = new GraphServiceClient(clientSecretCredential, scopes);

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: The Graph Client were successfully configured and created");

    }

    catch (Exception e)

    {

        FileLogger.LogToFile("Error in" + " " + "MicrosoftGraphClient constructor the Graph client was not created for the following reason:" + " " + e.Message + " " + "InnerException" + " " + e.InnerException + " " + "Exception Details" + " " + e);

    }

}

When I decode the token in the JWT decoder here:

JWT Debugger azurewebsites.net

JWT Debugger

JWT Debugger

JWT Debugger

azurewebsites.net

azurewebsites.net

JWT DebuggerJWT DebuggerJWT Debugger JWT DebuggerJWT Debugger JWT Debugger JWT Debugger azurewebsites.net azurewebsites.net

Kindly

Oskar Berntorp

Answer 1

Hi @Oskar Berntorp (Novotek Sweden)

For this error, which is caused by insufficient permissions, you need to grant the appropriate application permissions to the application in Azure AD. You can do this in Azure, as shown below:

The exact permissions depend on the endpoint you need to access.

See this document for more information about client credentials flows.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 2

Hi @Yakun Huang-MSFT ,

I have tested to set different permissions as well as that I have admin consent, but the roles claim is still missing. So from my perspective, the permissions seems right, but I have no roles claim. When this error is shown, what are the permissions needed, is there a link that specifies them? I have followed these bellow steps: 1. Create a print job and store the resulting document ID.1. Create an uploadSession for the document.

1. Upload bytes to the created upload session.
2. Start the print job.

Regards Oskar