Microsoft Graph API - OAuth 2.0 Scopes

Artha Wijendra 131 Reputation points
2020-05-21T03:19:29.1+00:00

Hi,

I define an app with the following Microsoft Graph permissions in Azure

Users.Read
Sites.Read

then I use postman to fetch the Auth Token via https://login.microsoftonline.com/{directoryId}/oauth2/v2.0/token

The key values pairs I use are

grant_type = client_credentials
client_id = {azureApp_clientId}
client_secret = {azureApp_clientSecret}
scope = https://graph.microsoft.com/.default

The above works fine and returns with Auth Token

However I am wondering whether the permissions mentioned above are tied to the scopes, lets say when fetching the auth token I want to say that my scope is just Users.Read

But alas I cannot use https://graph.microsoft.com/users.read etc in the scope as it errors out with AADSTS70011: The provided request must include a scope input parameter

  1. Are there other scopes that I can use for graph API other than https://graph.microsoft.com/.default ?
  2. I might need to send multiple scopes as well, and belive multiple scopes can be defined with the space as the separator ?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,398 questions
0 comments No comments
{count} vote

Accepted answer
  1. Artha Wijendra 131 Reputation points
    2020-05-22T12:55:47.553+00:00

    Thanks @Ryan Hill ,

    In my case I have to perform the server-based flow (one configured user) to a customer's Sharepoint Site via Microsoft Graph. How about I use ROPC flow. Here I can provide detailed scopes like https://graph.microsoft.com/User.Read, https://graph.microsoft.com/Sites.Read to fetch the access token.

    Wondering whether the use of ROPC would allow me to have more fine level access as there as I define a user on the token fetch. Will Sharepoint user-level access (sites, documents) come into play (or will it just be the high-level app-based access/permission levels)?

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Ryan Hill 27,026 Reputation points Microsoft Employee
    2020-05-22T04:42:14.983+00:00

    Hi @Artha Wijendra ,

    As you pointed out, /.default is a scope used by your app to get the token (see here). Since it appears you're using client credentail flow, the scopes will be the "scp" propery in the payload of the jwt token.

    For using other scopes, have a look at the on-behalf-of flow. That should get the token on behalf of the logged in user that has granted those scopes separated by space (yes you are correct) to your application.

    Hope this helps.

    1 person found this answer helpful.