question

Hello @GuruKarnik-6372, thank you for reaching out. There can be a couple of reasons for these errors. Let's check them out one by one:

When you prepare the request to fetch a token from AAD using the Resource_Owner_Password_Grant_Flow of OAuth using the following parameters:
client_id, tenant, grant_type : password, client_secret, scope: api://<guid>/Employees.Read, username and password.

It works as I believe you might have used delegated permissions, However, when you update the grant_type from password to client_credentials and then specify a specific scope lets say https://graph.microsoft.com/User.Read it would throw that following error:

 AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/User.Read is not valid.\r\nTrace ID: 99018132-68a0-4329-b624-3f7d29e41e01\r\nCorrelation ID: 6ee20c43-2e13-4267-bb00-6fc35aa25529\r\nTimestamp: 2020-10-27 07:42:46Z

The reason behind that is, client_credentials flow of OAuth requires application permission to work, but instead, you provided a delegated permission(user permission) and hence it rejected the scope with that error.

I tried to repro this same and I too get the same error when I use specific permission. Please refer to the screenshots below:

Resource_Owner_Password_Grant_Flow:

Modified the same request and updated the grant_type with "Client_Credentials" and it worked as you mentioned:

Until this, it works as the permission User.Read has been provided Admin consent and api://<guid>/.default lists down all the permissions that have been added in the app registration of this app. Since Client_Credentials only supports application permissions, hence even though AAD would issue you an access-token, but then that access-token won't have that user.read permission as that is a delegated permission and not application permission.

But as soon as you specific permission like api://<guid>/user.read or in my case I used https://graph.microsoft.com/User.Read and AAD threw the error of invalid_scope:

Summary: To get this working, you would either have to use ./default, or if trying to specify specific permission, it has to be application permission for it to work with Client_Credentials flow.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.