Microsoft Graph API - OAuth 2.0 Scopes

Artha Wijendra 131 Reputation points


I define an app with the following Microsoft Graph permissions in Azure


then I use postman to fetch the Auth Token via{directoryId}/oauth2/v2.0/token

The key values pairs I use are

grant_type = client_credentials
client_id = {azureApp_clientId}
client_secret = {azureApp_clientSecret}
scope =

The above works fine and returns with Auth Token

However I am wondering whether the permissions mentioned above are tied to the scopes, lets say when fetching the auth token I want to say that my scope is just Users.Read

But alas I cannot use etc in the scope as it errors out with AADSTS70011: The provided request must include a scope input parameter

  1. Are there other scopes that I can use for graph API other than ?
  2. I might need to send multiple scopes as well, and belive multiple scopes can be defined with the space as the separator ?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,398 questions
0 comments No comments
{count} vote

Accepted answer
  1. Artha Wijendra 131 Reputation points

    Thanks @Ryan Hill ,

    In my case I have to perform the server-based flow (one configured user) to a customer's Sharepoint Site via Microsoft Graph. How about I use ROPC flow. Here I can provide detailed scopes like, to fetch the access token.

    Wondering whether the use of ROPC would allow me to have more fine level access as there as I define a user on the token fetch. Will Sharepoint user-level access (sites, documents) come into play (or will it just be the high-level app-based access/permission levels)?

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Ryan Hill 27,026 Reputation points Microsoft Employee

    Hi @Artha Wijendra ,

    As you pointed out, /.default is a scope used by your app to get the token (see here). Since it appears you're using client credentail flow, the scopes will be the "scp" propery in the payload of the jwt token.

    For using other scopes, have a look at the on-behalf-of flow. That should get the token on behalf of the logged in user that has granted those scopes separated by space (yes you are correct) to your application.

    Hope this helps.

    1 person found this answer helpful.