I'm trying to request an accesstoken from graph with the following scope AppRoleAssignment.ReadWrite.All
. I have granted the API the required scopes - so this shouldn't be a problem.
const ccrRequest = {
scopes: ["https://graph.microsoft.com/AppRoleAssignment.ReadWrite.All"],
}
const accessToken = await cca.acquireTokenByClientCredential(ccrRequest)
The cca is a ConfidentialClientApplication
and I have triple-checked that my configuration is correct.
When I try to acquire my scope, I get the following error:
1002012 - [2021-09-15 12:15:42Z]: AADSTS1002012: The provided value for scope https://graph.microsoft.com/AppRoleAssignment.ReadWrite.All openid profile offline_access is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\n'
Obviously the error tells me to use the ./default
scope, (which I don't really know why). But according to the documentation, the ./default
scope should give me all my application scopes. This does however not happen:
0:'https://graph.microsoft.com/.default'
1:'openid'
2:'profile'
3:'offline_access'
Above, is the scopes that are supplied with my accesstoken when I request the https://graph.microsoft.com/.default
scope. Naturally, this does not represent the permissions which I have granted my API in the portal.
When I execute my fetch()
request, I therefore get the following error:
Insufficient privileges to complete the operation.
Is there something fundamental about the ClientCredentials flow that I'm missing here?
CodePudding user response:
You need to go to the app registration's API permissions tab, add the Application permission (not delegated permission) that you need on Microsoft Graph API, and then run admin consent as an Application Administrator at minimum. Then you should be able to use the /.default scope and get the needed permission in the roles claim of the access token.
Openid, profile and offline_access scopes do not make sense in a client credentials scenario. There is no user so openid and profile scopes do nothing. The offline_access scope is not needed as you do not need a refresh token. You have the credentials and can use them whenever you need a new token.