AADSTS70011: The provided value for the input parameter 'scope' is not valid

sidi shah picture sidi shah · Aug 10, 2018 · Viewed 20.1k times · Source

So I have a scenario wherein the application should add users to a group on certain conditions. Also when the application starts running users should not be asked to login their microsoft id/pwd.

So I access the token I created using Graph Service Client object as follows:

    GraphServiceClient graphClient = new GraphServiceClient(
        "https://graph.microsoft.com/v1.0", 
        new DelegateAuthenticationProvider(
            async (requestMessage) =>
            {
                string clientId = "My APP ID";
                string authorityFormat = "https://login.microsoftonline.com/{0}/v2.0";
                string tenantId = "tenant GUID";
                string[] _scopes = new string[] { 
                    "https://graph.microsoft.com/User.ReadBasic.All" 
                };
                // Custom Redirect URI asigned in the Application Registration 
                // Portal in the native Application Platform
                string redirectUri = "https://localhost:4803/"; 
                string clientSecret = "App Secret";
                ConfidentialClientApplication daemonClient = new ConfidentialClientApplication(
                    clientId, 
                    String.Format(authorityFormat, tenantId), 
                    redirectUri, 
                    new ClientCredential(clientSecret), 
                    null, new TokenCache()
                );
                AuthenticationResult authResult = await daemonClient.AcquireTokenForClientAsync(_scopes);
                string token = authResult.AccessToken;
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
            }
       )
    );

So I try to execute var user = await graphClient.Me.Request().GetAsync();

I get this error:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope user.read is not valid.

I also tried using just User.ReadBasic as scope, but get the same error.

What am I doing wrong here?

Answer

Jason Johnston picture Jason Johnston · Aug 10, 2018

You are using the client credential flow here, which means that you cannot dynamically request scopes. You must configure your required permission scopes on your app registration in apps.dev.microsoft.com, then you set the value of scope in your code to https://graph.microsoft.com/.default.

See https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service for more details.