2

I'm trying to get the access token for the Microsoft Graph API in order to access a SharePoint document library. My application is a windows service, hence I'm following the procedure described here.

But when I try to get the access token, the response that I get doesn't have the scope value. Below is my response:

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "expires_on":"1492452559",
  "not_before": "1492448659",
  "resource": "https://graph.microsoft.com",
  "access_token": "Token"
}

Because of this when I try to query the Graph API with this access token, I'm getting an error saying: Either scp or roles claim need to be present in the token

Can someone please help me on how to get this working? Thanks in advance.

Improve this question
4
  • Did you replace a really long piece of text with Token? Commented Apr 18, 2017 at 6:10
  • Could you check the access token in a service such as jwt.io and check if there really are no scopes there. You could even paste some of the contents here (with all the private info redacted/replaced of course). Could you also mention the URL you are trying to call with the token? Could you also mention what permissions you have granted for the app in Azure AD? If those are fine, then it could be a consent problem. Commented Apr 18, 2017 at 6:24
  • Hi Junnas, I have give the Application Permissions: Read and Write files in all site collections which requires admin consent. Could you please tell me how can the admin consent be given? Thanks, Commented Apr 18, 2017 at 10:18
  • 1
    This is the URL to get the admin consent:login.microsoftonline.com/common/oauth2/authorize? client_id=<CLIENT-ID> &redirect_uri=<REDIRECT-URI> &resource=<RESOURCE-ID> &response_type=code &response_mode=form_post &prompt=admin_consent Got this working. Thanks Commented Apr 18, 2017 at 16:09

1 Answer 1

Reset to default
1

That seems your client application hasn't set the appropriate app permissions when using client credential flow , below is an illustration of application permissions section in Azure AD classic portal. Please select appropriate permissions needed and retry : enter image description here

And in addition , when using client credential flow to get the access token , you could check the roles claims in access token(that is the way to check the app permission, not in token response) , using a tool like http://jwt.calebb.net/ to decode the access token and check the app permissions : enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for the reply Nan yu, I decoded the access token, I don't see any key called roles. I have given the application permissions for the app in the Azure AD, but it looks like the admin consent has not been given. Could you please tell how could the admin consent be given? Thanks.
This is the URL to get the admin consent:login.microsoftonline.com/common/oauth2/authorize? client_id=<CLIENT-ID> &redirect_uri=<REDIRECT-URI> &resource=<RESOURCE-ID> &response_type=code &response_mode=form_post &prompt=admin_consent Got this working. Thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.