Assigning app role to Partner Center consented application not available in access token's scope
I am currently creating an integration with Microsoft Partner Center utilizing GDAP.
The current flow I have is:
- An admin (either Global Admin, Cloud Apps Administrator, or Application Admin) consents to a basic application (scopes include
DelegatedAdminRelationship.Read.Alland Partner Center'suser_impersonation) - Using the refresh token from the consent, obtain an access token to the Partner Center API and perform an admin consent for each of the delegated tenant relationships. This consent includes basic scopes for the Graph API like
Directory.Read.All,UserAuthenticationMethod.Read.All, etc.
The problem lies herein that the admin consents are delegated permissions. I need an application permission for the MailboxSettings.Read scope in order to determine if an inbox is shared.
I understand the flow would be something like:
- Grant delegated permission via admin consent like above
- Assign app roles to the service principal that gets installed from the consent
- Obtain new access token and perform operations as needed
The app roles are being added correctly via the following
POST https://graph.microsoft.com/v1.0/servicePrincipals/:spId/appRoleAssignedTo
{
"principalId":"a-b-c-d", // My app's service principal in the tenant
"resourceId":"e-f-g-h", // Microsoft Graph's service principal in the tenant
"appRoleId":"40f97065-369a-49f4-947c-6a255697ae91" // this is MailboxSettings.Read
}
I can see them in the tenant's Azure 
However, when I obtain the new access token (by using a refresh token) those added app roles are not in list of scopes, just the delegated permissions. So that token does not let me read mailbox settings as example:
{
"error": {
"code": "NoUserFoundWithGivenClaims",
"message": "The user specified by the user-context in the token does not exist.",
"innerError": {
"oAuthEventOperationId": "--",
"oAuthEventcV": "--",
"errorUrl": "https://aka.ms/autherrors#error-InvalidUser",
"requestId": "--",
"date": "2024-01-11T18:15:50"
}
}
}
What am I missing?
Immediately after posting this I figured out the solution. If you are using grant_type: refresh_token to obtain your access token, this will only ever return delegated permissions. In order to use my app roles (application permissions) I needed to use grant_type: client_credentials.
Note: client_credentials access token will only return application permissions. So to effectively use both sets of permissions you will either need two access tokens, or use app roles for all the permissions. I went with the former so ensure I only use the scopes when needed.
- Microsoft Graph API: 'ItemNotFound' Error When Accessing Excel File in OneDrive with Python in personal account
- Microsoft Graph API - error on getting shares
- Unable to Retrieve Hidden MailFolders (isHidden = true) with Microsoft Graph API
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to use OdataNextLink in Microsoft Graph API Beta 5
- MSgraph Java SDK, retrieve well-know folder
- How to send email from any one email using Microsoft Graph
- How to read S/MIME mails and their attachements
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
- HTTP request to update Service Principal Entra
- MSGraph Query Not returning group info
- How to move a Mail with the Microsoft Graph API after sending it
- How can my registered app get Microsoft Graph access for SharePoint file of a different organization?
- Could not obtain a WAC Access Token while trying to access excel file on SharePoint
- How can I filter via Get-MgAuditLogDirectoryAudit (through the Microsoft Entra Audit Logs) for a specific IP address?
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- How to get all the files in OneDrive account using the graph SDK?
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- DelegateAuthenticationProvider not found after updating Microsoft Graph
- How to register multiple GraphServiceClient instances with different configurations in ASP.NET Core DI?
- I have try to create event in microsoft outlook calendar but coming error Access token validation failure. Invalid audience
- Microsoft Graph API: Create subscription - Exception: [Status Code: Unauthorized] [Go]
- Microsoft App Registration - how to create meetings using OnlineMeetings.ReadWrite.All within an application context and not a user context?
- Using the Microsoft Graph API to load files from Sharepoint into Databricks
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Is there a Graph API resource type for all managed app?