Error when Posting or patching EducationClass with MSGraph
I'm trying to POST or PATCH an education class using Microsoft Graph but always get and error.
Request
https://graph.microsoft.com/V1.0/education/classes
{
"description": "Health Level 1",
"classCode": "Health 501",
"displayName": "Health 1",
"externalId": "11019",
"externalName": "Health Level 1",
"externalSource": "sis",
"mailNickname": "fineartschool.net"
}
Response
{
"code": "AccessDenied",
"message": "Required scp claim values are not provided.",
"innerError": {
"request-id": "e1183015-d942-491a-9949-4aa73bbef893",
"date": "2018-06-21T08:44:35"
}
}
My App has the needed permissions for creating an education class. (for testing, my app has all the application and delegated permissions possible). Posting users, groups etc is no problem.
More specific the needed permission: 
After assigning the permission in the AD portal I did the following:
Get admin consent for the app
https://login.microsoftonline.com/myTenant/adminconsent?client_id=myClientID&redirect_uri=MyRedirectURIGet the authorization code
https://login.microsoftonline.com/myTenant/oauth2/authorize?client_id=myClientID&response_type=code&redirect_uri=MyRedirectURI&response_mode=query&resource=https://graph.microsoft.com/Get the access token
All with success. After getting the Access Token I have the following scopes:
- .....
- EduRoster.Read
- EduRoster.ReadBasic
- EduRoster.ReadWrite
- ...
The Graph documentation says you need the permission Application EduRoster.ReadWrite.All
Also tested a POST and PATCH in Graph Explorer but get the same response.
This API requires "Application" rather than "Delegated" scopes. As you mentioned, it specifically requires the EduRoster.ReadWrite.All scope.
Which scopes get applied to a token depends entirely on which OAuth Grant you used to obtain the token:
- Authorization Code Grant = Delegated
- Implicit Grants = Delegated
- Client Credentials Grant = Application
The reason you're not getting this scope in your Access Token is that you're using the Authorization Code grant (response_type=code) which will always result in Delegated scopes getting assigned.
In order to make this call, you'll need to obtain a token using the Client Credentials grant.
You might also find this article helpful (full disclosure, I am the author): Application vs Delegated Scopes.
- How to embed Image inline in Email Body using Microsoft Graph
- C# Graph api SDK V5 - Add User to multiple Groups
- How to create chart in power apps which shows number of post done by team member in teams channel?
- Why must "force_change_password_next_sign_in" be set to false for MS External ID Local Accounts?
- Ordering Microsoft Graph API Messages by hasAttachments with External Email Filters Causes "InefficientFilter" Error
- MS Graph Subscription for Event Grid is failing with 400 Invalid Request
- Implementing SSO for Azure AD B2C
- Implementing Microsoft SSO with passport-azure-ad and without msal
- S/MIME Email Sent via Python and Microsoft Graph Works in Gmail but Not in Outlook
- File upload to SharePoint is not working and is not throwing any errors
- Is it possible to manually construct a skiptoken to paginate search results in Microsoft Graph API?
- How to setup Microsoft authentication in a django based project
- Graph JSON response seldom contains raw HTML
- Microsoft Graph API: How to get url for Task in Planner?
- How to Use MS Graph Beta API for Recalling Sent Emails?
- Java - ODataError "The mailbox is either inactive, soft-deleted, or is hosted on-premise."
- How to subscribe to updates to the root drive of a SharePoint Site using Microsoft Graph
- How to assign Entra user User.Read.All and Group.Read.All from Graph Explorer
- How to create event by MS Graph with room as location?
- GraphServiceClient filter issue
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Upload drive files via MS Graph API
- how to list ExternalItems from a graph-connector
- Retrieve all Users from all Groups?
- Microsoft Graph SDK v5.61 : Ordering Mail List by Size
- How to access response header in Graph v5.0 SDK?
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Unable to call Graph API using an on-behalf-of flow from ASP.NET Core Web API
- Access Microsoft Todo List via Rest API
- SharePoint REST API returns invalidRequest apiNotFound when registering Container Type