question

Amaw-0282 avatar image
0 Votes"
Amaw-0282 asked ·

Microsoft Graph API - OAuth 2.0 Scopes

Hi,

I define an app with the following Microsoft Graph permissions in Azure

Users.Read
Sites.Read

then I use postman to fetch the Auth Token via https://login.microsoftonline.com/{directoryId}/oauth2/v2.0/token

The key values pairs I use are

grant_type = client_credentials
client_id = {azureApp_clientId}
client_secret = {azureApp_clientSecret}
scope = https://graph.microsoft.com/.default

The above works fine and returns with Auth Token

However I am wondering whether the permissions mentioned above are tied to the scopes, lets say when fetching the auth token I want to say that my scope is just Users.Read

But alas I cannot use https://graph.microsoft.com/users.read etc in the scope as it errors out with AADSTS70011: The provided request must include a scope input parameter

  1. Are there other scopes that I can use for graph API other than https://graph.microsoft.com/.default ?

  2. I might need to send multiple scopes as well, and belive multiple scopes can be defined with the space as the separator ?

azure-webappsazure-ad-graph
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amaw-0282 avatar image
0 Votes"
Amaw-0282 answered ·

Thanks @ryanchill,

In my case I have to perform the server-based flow (one configured user) to a customer's Sharepoint Site via Microsoft Graph. How about I use ROPC flow. Here I can provide detailed scopes like https://graph.microsoft.com/User.Read, https://graph.microsoft.com/Sites.Read to fetch the access token.

Wondering whether the use of ROPC would allow me to have more fine level access as there as I define a user on the token fetch. Will Sharepoint user-level access (sites, documents) come into play (or will it just be the high-level app-based access/permission levels)?

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Amaw-0282,


Yes, you can use ROPC flow in this case as you want to use a configured user context and as you said you can provide detailed scopes like https://graph.microsoft.com/User.Read, https://graph.microsoft.com/Sites.Read to fetch the access token.


Since the token is issued to a specific user account in this case, user will get access to the permissions configured in SharePoint for that user as well. The delegated permissions, such as https://graph.microsoft.com/User.Read, https://graph.microsoft.com/Sites.Read will come into play when graph api would want to perform these actions on behalf of the user.




Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


0 Votes 0 · ·
ryanchill avatar image
0 Votes"
ryanchill answered ·

Hi @Amaw-0282,

As you pointed out, /.default is a scope used by your app to get the token (see here). Since it appears you're using client credentail flow, the scopes will be the "scp" propery in the payload of the jwt token.

For using other scopes, have a look at the on-behalf-of flow. That should get the token on behalf of the logged in user that has granted those scopes separated by space (yes you are correct) to your application.

Hope this helps.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.