AADSTS70011: The provided value for the input parameter 'scope' is not valid

c# microsoft-graph-api

41,482

You are using the client credential flow here, which means that you cannot dynamically request scopes. You must configure your required permission scopes on your app registration in apps.dev.microsoft.com, then you set the value of scope in your code to https://graph.microsoft.com/.default.

See https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service for more details.

41,482

Author by

sidi shah

Updated on May 26, 2021

Comments

sidi shah almost 3 years

So I have a scenario wherein the application should add users to a group on certain conditions. Also when the application starts running users should not be asked to login their microsoft id/pwd.

So I access the token I created using Graph Service Client object as follows:

    GraphServiceClient graphClient = new GraphServiceClient(
        "https://graph.microsoft.com/v1.0", 
        new DelegateAuthenticationProvider(
            async (requestMessage) =>
            {
                string clientId = "My APP ID";
                string authorityFormat = "https://login.microsoftonline.com/{0}/v2.0";
                string tenantId = "tenant GUID";
                string[] _scopes = new string[] { 
                    "https://graph.microsoft.com/User.ReadBasic.All" 
                };
                // Custom Redirect URI asigned in the Application Registration 
                // Portal in the native Application Platform
                string redirectUri = "https://localhost:4803/"; 
                string clientSecret = "App Secret";
                ConfidentialClientApplication daemonClient = new ConfidentialClientApplication(
                    clientId, 
                    String.Format(authorityFormat, tenantId), 
                    redirectUri, 
                    new ClientCredential(clientSecret), 
                    null, new TokenCache()
                );
                AuthenticationResult authResult = await daemonClient.AcquireTokenForClientAsync(_scopes);
                string token = authResult.AccessToken;
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
            }
       )
    );

So I try to execute var user = await graphClient.Me.Request().GetAsync();

I get this error:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope user.read is not valid.

I also tried using just User.ReadBasic as scope, but get the same error.

What am I doing wrong here?

Eric Eskildsen about 4 years

If you're using a different API, replace everything before .default with its scheme and GUID: api://11111111-2222-3333-4444-555555555555/.default
Cheeso over 3 years

ok, that's pretty obscure. Thank you Eric. Have you got a source for that information?
Benjamin De Clercq over 3 years

docs.microsoft.com/en-us/graph/auth-v2-service#token-request