microsoft graph:You cannot perform the requested operation, required scopes are missing in the token

Question

I am calling one Microsoft graph API from my PHP application, API is https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy

my code is like below

$graph = new Graph();
$graph->setAccessToken(session('my_token'));
try{
    $response = $graph->createRequest("GET", "/policies/identitySecurityDefaultsEnforcementPolicy")->execute();
}
catch(Exception $e){
    dd($e);
}
$arr = $response->getBody();
dd($arr);

but it always catches exception and displays the below error

Client error: `GET https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy` resulted in a `403 Forbidden` response:
{"error":{"code":"AccessDenied","message":"You cannot perform the requested operation, required scopes are missing in the token.","innerError":{"date":"2022-11-23T06:47:39","request-id":"9a4573c7-fd72-44ae-8ac6-8e4589cf1497","client-request-id":"9a4573c7-fd72-44ae-8ac6-8e4589cf1497"}}}

all the other Microsoft graph APIs are working well

I have also given permission to Policy.Read.All and granted admin consent to the Microsoft app I am using here for auth.

Update: when I open Microsoft's online token parser https://jwt.ms/ and parsed my token, I see the roles like

"roles": [
"Mail.ReadWrite",
"User.ReadWrite.All",
"SecurityEvents.Read.All",
"Mail.ReadBasic.All",
"Group.Read.All",
"MailboxSettings.Read",
"Group.ReadWrite.All",
"SecurityEvents.ReadWrite.All",
"User.Invite.All",
"Directory.Read.All",
"User.Read.All",
"Domain.Read.All",
"GroupMember.Read.All",
"Mail.Read",
"User.Export.All",
"IdentityRiskyUser.Read.All",
"Mail.Send",
"User.ManageIdentities.All",
"MailboxSettings.ReadWrite",
"Organization.Read.All",
"GroupMember.ReadWrite.All",
"IdentityRiskEvent.Read.All",
"Mail.ReadBasic",
"Reports.Read.All"
]

but not the Policy.Read.All

Update: Getting auth token code is

$guzzle = new \GuzzleHttp\Client();
$url = 'https://login.microsoftonline.com/'.env("TANANT_ID").'/oauth2/token?api-version=beta';
$token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => env("CLIENT_ID"),
        'client_secret' => env("CLIENT_SECRET"),
        'resource' => 'https://graph.microsoft.com/',
        'grant_type' => 'client_credentials',
    ],
])->getBody()->getContents());
// echo $token->access_token;
Session::put('my_token', $token->access_token);

Are you authenticating as a personal account (e.g. `me@hotmail.com`, `me@outlook.com`), as a work/school account (e.g. `me@mycompany.com`) or as an application (authenticating using app ID/secret)? — Luke, Nov 23 '22 at 12:57
Did the admin grant consent for application or for delegated permission Policy.Read.All? — user2250152, Nov 25 '22 at 13:02
Does ID/Secret authenticate, normally they are required then you have to use oAuth flow still using those to get a Token, so how are you generating your token because your saving it in the session? — Barkermn01, Nov 27 '22 at 14:27
@Barkermn01 Yes, I am using oAuth flow to generate a token. I have just stored the token in session to use it until it expired. — Divyesh Jesadiya, Nov 28 '22 at 06:21
My Point was if your having oAuth Scope Problems (which is what this is) you need to show us the code that requests the scopes, just replace your app keys with `x`'s but we need to see the code that requesting the scopes, to debug why you're not being given the scope your apparently requesting — Barkermn01, Nov 29 '22 at 11:34

score 2 · Accepted Answer · answered Nov 30 '22 at 12:44

When you're requesting the token, you need to supply a scope URL,

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

So as a basic example (this might not give the permission you need) but shows what your missing.

$guzzle = new \GuzzleHttp\Client();
$url = 'https://login.microsoftonline.com/'.env("TANANT_ID").'/oauth2/token?api-version=beta';
$token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => env("CLIENT_ID"),
        'client_secret' => env("CLIENT_SECRET"),
        'resource' => 'https://graph.microsoft.com/',
        'scope' => 'https://graph.microsoft.com/.default',
        'grant_type' => 'client_credentials',
    ],
])->getBody()->getContents());
// echo $token->access_token;
Session::put('my_token', $token->access_token);

specifically notice that i have added 'scope' => 'https://graph.microsoft.com/.default', to your form params

score 0 · Answer 2 · answered Nov 29 '22 at 04:37

0

Looks like you don't have Policy.Read.All permission , could you please cross check permission through azure portal and provide the required permission and try again.

Thanks

answered Nov 29 '22 at 04:37

vicky kumar

563
3
11

microsoft graph:You cannot perform the requested operation, required scopes are missing in the token

2 Answers2