AADSTS70011: The provided value for the input parameter 'scope' is not valid

Question

So I have a scenario wherein the application should add users to a group on certain conditions. Also when the application starts running users should not be asked to login their microsoft id/pwd.

So I access the token I created using Graph Service Client object as follows:

    GraphServiceClient graphClient = new GraphServiceClient(
        "https://graph.microsoft.com/v1.0", 
        new DelegateAuthenticationProvider(
            async (requestMessage) =>
            {
                string clientId = "My APP ID";
                string authorityFormat = "https://login.microsoftonline.com/{0}/v2.0";
                string tenantId = "tenant GUID";
                string[] _scopes = new string[] { 
                    "https://graph.microsoft.com/User.ReadBasic.All" 
                };
                // Custom Redirect URI asigned in the Application Registration 
                // Portal in the native Application Platform
                string redirectUri = "https://localhost:4803/"; 
                string clientSecret = "App Secret";
                ConfidentialClientApplication daemonClient = new ConfidentialClientApplication(
                    clientId, 
                    String.Format(authorityFormat, tenantId), 
                    redirectUri, 
                    new ClientCredential(clientSecret), 
                    null, new TokenCache()
                );
                AuthenticationResult authResult = await daemonClient.AcquireTokenForClientAsync(_scopes);
                string token = authResult.AccessToken;
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
            }
       )
    );

So I try to execute var user = await graphClient.Me.Request().GetAsync();

I get this error:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope user.read is not valid.

I also tried using just User.ReadBasic as scope, but get the same error.

What am I doing wrong here?

Are you sure the scope should be `User.ReadBasic.All` and not `User.Read.All`? Make sure you use the right [permission](https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) — mrogal.ski, Aug 10 '18 at 08:25
I tried User.Read.All and it gave me this error :AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/User.Read.All is not valid. — sidi shah, Aug 10 '18 at 08:52
Because `graph.microsoft.com/User.Read.All` is in fact invalid. You should use `User.Read.All` — mrogal.ski, Aug 10 '18 at 08:54
Tried with just "User.Read", but hardluck. Can you have a look at the code how grapserviceclient object is formed. Is there something wrong with object creation? — sidi shah, Aug 10 '18 at 09:33
IMHO everything looks fine but I'm not expert in this field. Try checking out [examples on gihutb](https://github.com/microsoftgraph/aspnet-connect-rest-sample/blob/master/Microsoft%20Graph%20REST%20ASPNET%20Connect/Microsoft%20Graph%20REST%20ASPNET%20Connect/Helpers/SampleAuthProvider.cs) — mrogal.ski, Aug 10 '18 at 09:36

score 120 · Answer 1 · answered Aug 10 '18 at 15:39

120

You are using the client credential flow here, which means that you cannot dynamically request scopes. You must configure your required permission scopes on your app registration in apps.dev.microsoft.com, then you set the value of scope in your code to https://graph.microsoft.com/.default.

See https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service for more details.

answered Aug 10 '18 at 15:39

Jason Johnston

17,194
2
20
34

18

If you're using a different API, replace everything before `.default` with its scheme and GUID: `api://11111111-2222-3333-4444-555555555555/.default` – Eric Eskildsen Apr 27 '20 at 18:56
3

ok, that's pretty obscure. Thank you Eric. Have you got a source for that information? – Cheeso Sep 02 '20 at 23:58
3

https://learn.microsoft.com/en-us/graph/auth-v2-service#token-request – Benjamin De Clercq Jan 22 '21 at 09:59

score 2 · Answer 2 · answered Dec 14 '22 at 22:52

I reccomend to use .defuault scope

The .default scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions...

Clients can't combine static (.default) consent and dynamic consent in a single request. So scope=https://graph.microsoft.com/.default Mail.Read results in an error because it combines scope types.

For set your Scope var in C#

  string[] scope = new string[] {".default"};

For set your Scope var Java

private final List<String> scope = Arrays.asList(".default");

score 0 · Answer 3 · answered May 25 '21 at 14:39

0

I had copied code from another authorize that was working for a user not an organization. So I received the error because I had the wrong grant_type.

Make sure yours is "client_credentials"

answered May 25 '21 at 14:39

Mark Monforti

463
4
8

AADSTS70011: The provided value for the input parameter 'scope' is not valid

3 Answers3

Linked