onedrivemicrosoft-graph-apiazure-ad-graph-api

Graph API: Either scp or roles claim need to be present in the token


I'm attempting to use MS Graph API to get a list of files/folders from OneDrive for Business. I've successfully executed the queries I need in Graph Explorer and am now moving on to implementing in my project.

My app is a Windows service, so I'm acquiring a token using this method

I've successfully retrieved a token, but when I "GET" this URL... //graph.microsoft.com/v1.0/users('someuseraccount')/drive/items/somedriveitem/microsoft.graph.createLink

... I get a response back with the error:

Either scp or roles claim need to be present in the token.

My token response from the server is as follows:

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "scope": "Directory.AccessAsUser.All Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.AppFolder Files.ReadWrite.Selected profile Sites.Read.All User.Read",
  "expires_on": "1457343736",
  "not_before": "1457339836",
  "resource": "https://graph.microsoft.com",
  "access_token": "-the token-"
}

Solution

  • It appears that your client application has only requested delegated permissions to Microsoft Graph, whereas application permissions should be requested for the scenario attempted here. Below is an illustration of application permissions section in Azure portal. Please select appropriate permissions needed and retry. application permission illustration