The application asked for scope that doesn't exist on the resource



I am implementing a login with Microsoft on my Saas application, everything works with the account on my azure tenant and with personnal accounts.

However as I want my customers being able to use this feature, I joined the Microsoft 365 developer program to simulate a customer organization, but it doesn't work.

Here is the error I get when I try to login :

invalid_client error_description=AADSTS650053: The application 'XXX' asked for scope 'Calendars.ReadWrite,User.Read,openid,email,profile,offline_access' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

My application is configured to be multi-tenant and it allows any type of account to log in.

As I am not familiar with the Microsoft 365 ecosystem, I don't fully understand what I should do to make it work. By the way I tried to add API permissions matching the scope I use, but it didn't help. I thought that I would only have to make my app multi-tenant, add the needed permissions and then anyone, whether a personnal account or one from an organization would be able to log into my app.

Thank you for you help.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,627 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,871 questions
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,721 Reputation points Microsoft Employee

    Hello anonymous user, as the error says the following scopes are not listed in your app registration. So to get rid of this issue, you can try the following steps:

    Go to the app registration blade in Azure AD find the corresponding app registration whose App ID is mentioned in the error.
    Once you find the app, go to its API Permissions section and then check if the following permissions are listed there or not:

    • Calendars.ReadWrite
    • User.Read

    If these permissions are not present there, select the "Add a permission" option and then select "Microsoft Graph API"
    Based on the type of token you require select the appropriate option like delegated permission (if you want to access token in user's context) and application permission (if you want the access-token in application's context) and then search for the two permissions "Calendars.ReadWrite" and "User.Read" and add them by selecting "Add permissions"

    Once the permissions are added successfully to your App Registration then give it a try it should work, as now the scopes mentioned in the request should be available.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    1 person found this answer helpful.