Access request token for Graph API being generated without assigned roles

Question

Hello comrades,

I was hoping that someone might have some insight into an issue I am running into generating access tokens for an Azure App Registration. When using postman to request an access toke from the Microsoft identity platform /token endpoint, a token is generated, but the token seems to not include any of the roles assigned to the app registrations.

My app registration has the following access assigned and that access has been consented / granted by an admin as well.

SharePoint: Sites.Read.All

SharePoint: User.Read.All

I am then doing the following to generate the access token:

This successfully generates an access token. We were then using that access token to make the following request against the graph API:

We get a "401 Unauthorized" response with the message "General exception while processing". While investigating what was going on, we used the Microsoft token decoder tool, and it looks like the access tokens being created don't include the "Roles" claims type?

Are we doing something wrong as to where our initial token request is generating a token with no roles? We were following the steps outline in this Microsoft documentation: https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http

Thanks for the help!

Chris

Answer 1

Hello Chris LeMay,

To call https://graph.microsoft.com/v1.0/sites/root, using Client credentials flow, you need to grant Microsoft Graph Sites.Read.All application type API permission:

Generate access token:

Decode access token and check if Sites.Read.All role is present and aud must be https://graph.microsoft.com:

Use the below access token and call the Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/sites/root :

---

If the resolution was helpful, kindly take a moment to accept the answer and upvote it 👍 it as a token of appreciation.