Azure – Graph API failure in fetching sites

The error "AccessDenied, Either scp or roles claim need to be present in the token" usually occurs if the access token doesn’t contain any scope or claims to perform the action.

Note that: If you are using Client Credential flow, then grant application API permissions. If you are using interactive flow, then make use of delegated API permissions to generate the access token.

I created an Azure AD application and granted API permissions same as you:

Generated access token using Client credential flow by using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials

Make sure to decode the access token in jwt.ms and check if the roles or scopes are present:

By using the above access token, I am able to fetch the sites successfully:

GET https://graph.microsoft.com/v1.0/sites

If still the issue persists, check the below:

• Make sure to grant admin consent to the API permissions.
• Make sure that the roles or scopes are present in the access token by decoding it.
• Creating a new secret and passing it to generate access token is normal and doesn’t cause an error.
• Try generating the access token again and check.
• Make sure the access token is not expired.