Question 41554 in PHP Question posted in
Official manual can be found here.

microsoft graph:You cannot perform the requested operation, required scopes are missing in the token – PHP

I am calling one Microsoft graph API from my PHP application, API is https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy

my code is like below

$graph = new Graph();
$graph->setAccessToken(session('my_token'));
try{
    $response = $graph->createRequest("GET", "/policies/identitySecurityDefaultsEnforcementPolicy")->execute();
}
catch(Exception $e){
    dd($e);
}
$arr = $response->getBody();
dd($arr);

but it always catches exception and displays the below error

Client error: `GET https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy` resulted in a `403 Forbidden` response:
{"error":{"code":"AccessDenied","message":"You cannot perform the requested operation, required scopes are missing in the token.","innerError":{"date":"2022-11-23T06:47:39","request-id":"9a4573c7-fd72-44ae-8ac6-8e4589cf1497","client-request-id":"9a4573c7-fd72-44ae-8ac6-8e4589cf1497"}}}

all the other Microsoft graph APIs are working well

I have also given permission to Policy.Read.All and granted admin consent to the Microsoft app I am using here for auth.

Update: when I open Microsoft’s online token parser https://jwt.ms/ and parsed my token, I see the roles like

"roles": [
"Mail.ReadWrite",
"User.ReadWrite.All",
"SecurityEvents.Read.All",
"Mail.ReadBasic.All",
"Group.Read.All",
"MailboxSettings.Read",
"Group.ReadWrite.All",
"SecurityEvents.ReadWrite.All",
"User.Invite.All",
"Directory.Read.All",
"User.Read.All",
"Domain.Read.All",
"GroupMember.Read.All",
"Mail.Read",
"User.Export.All",
"IdentityRiskyUser.Read.All",
"Mail.Send",
"User.ManageIdentities.All",
"MailboxSettings.ReadWrite",
"Organization.Read.All",
"GroupMember.ReadWrite.All",
"IdentityRiskEvent.Read.All",
"Mail.ReadBasic",
"Reports.Read.All"
]

but not the Policy.Read.All

Update: Getting auth token code is

$guzzle = new GuzzleHttpClient();
$url = 'https://login.microsoftonline.com/'.env("TANANT_ID").'/oauth2/token?api-version=beta';
$token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => env("CLIENT_ID"),
        'client_secret' => env("CLIENT_SECRET"),
        'resource' => 'https://graph.microsoft.com/',
        'grant_type' => 'client_credentials',
    ],
])->getBody()->getContents());
// echo $token->access_token;
Session::put('my_token', $token->access_token);
Tags:

2

Answers


  1. 0

    Looks like you don’t have Policy.Read.All permission , could you please cross check permission through azure portal and provide the required permission and try again.

    Thanks

    Login or Signup to reply.
  2. 0

    When you’re requesting the token, you need to supply a scope URL,

    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

    So as a basic example (this might not give the permission you need) but shows what your missing.

    $guzzle = new GuzzleHttpClient();
$url = 'https://login.microsoftonline.com/'.env("TANANT_ID").'/oauth2/token?api-version=beta';
$token = json_decode($guzzle->post($url, [
    'form_params' => [
        'client_id' => env("CLIENT_ID"),
        'client_secret' => env("CLIENT_SECRET"),
        'resource' => 'https://graph.microsoft.com/',
        'scope' => 'https://graph.microsoft.com/.default',
        'grant_type' => 'client_credentials',
    ],
])->getBody()->getContents());
// echo $token->access_token;
Session::put('my_token', $token->access_token);

    specifically notice that i have added
    'scope' => 'https://graph.microsoft.com/.default', to your form params

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search