RESOLVED - the solution is to us an application token rather that the user level token
POST https:// login.microsoftonline.com/401e70.....d0/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id= ce...b
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret= K1e....u
&grant_type=client_credentials