![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 39%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
255 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 15%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOI%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 49%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIT%3C/text%3E%3C/svg%3E)
Hello, Matt Pattoli
Thank you for your feedback. I understand the challenges you've encountered while building OAuth for the Bing Webmaster API, particularly the inability to locate the corresponding permissions in the Azure AD application registration and receiving an “Invalid Client” error. This is a common yet confusing issue, as the permission management approach for the Bing Webmaster API differs slightly from that of the Microsoft Graph API and others.
Here are some troubleshooting solutions:
- The correct scope for the Bing Webmaster API
The resource URI (or “Audience”) for the Bing Webmaster API is:
https://webmaster.bing.com/api/
The specific scope used for management is:
webmaster.manage
This means that in your OAuth authorization request, you need to set the scope parameter to https://webmaster.bing.com/api/webmaster.manage.
Why isn't it listed in the Azure AD portal?
For some Microsoft first-party services, especially those requiring specific partner or developer center approval, API permissions are typically not selected through the “Add permissions” list in the Azure AD application registration interface. Instead, you indicate that your application needs access to the API by requesting a specific Scope in the OAuth flow, and users will then see a consent page requesting them to authorize your application to access their Bing Webmaster data.
- Resolving the “Invalid Client” error
The “Invalid Client” error is typically not due to missing permission configurations in the Azure AD portal, but rather one of the following common causes:
Incorrect client_id (application ID): Ensure that the client_id used in your OAuth request exactly matches the “Application (client) ID” generated in your Azure AD application registration.
redirect_uri mismatch: This is one of the most common issues. The redirect_uri you provide in the OAuth request must exactly match one of the “Redirect URIs” configured in your Azure AD application registration, including case sensitivity and the trailing slash.
Client key issue (if your app is a secret client): If your app is a “secret client” (e.g., a web app or backend service) and you are using the authorization code flow to obtain an access token, you must provide a valid client key. Ensure that the key has not expired and is correctly passed in the request.
Application type mismatch:
If you are building a public client (e.g., desktop app or mobile app), you should set “Allow public client flows” to ‘Yes’ under “Advanced settings” in the “Authentication” section of the Azure AD app registration. Public clients typically do not use client keys.
If you are building a web application or backend service (secret client), ensure that you have correctly configured the client key.
Authorization request parameter error: Check that all parameters in your authorization request URL (client_id, response_type, redirect_uri, scope, state, etc.) are correct.
You mentioned that you have been approved in Partner Center and added the MPN number, which is a necessary step for accessing the Bing Webmaster API itself. However, this is an independent issue from the “Scope not found” or “Invalid Client” errors in the Azure AD OAuth process.
We recommend using Postman or a similar tool to test your OAuth flow step by step, as this will allow you to clearly see the requests and responses for each step and identify the specific issue.
I look forward to your feedback.
Best regards,
Ian Trinh | Microsoft Q&A Specialist