Graph API: Either scp or roles claim need to be present in the token

Question

I'm attempting to use MS Graph API to get a list of files/folders from OneDrive for Business. I've successfully executed the queries I need in Graph Explorer and am now moving on to implementing in my project.

My app is a Windows service, so I'm acquiring a token using this method

I've successfully retrieved a token, but when I "GET" this URL... //graph.microsoft.com/v1.0/users('someuseraccount')/drive/items/somedriveitem/microsoft.graph.createLink

... I get a response back with the error:

Either scp or roles claim need to be present in the token.

My token response from the server is as follows:

{
  "token_type": "Bearer",
  "expires_in": "3600",
  "scope": "Directory.AccessAsUser.All Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.AppFolder Files.ReadWrite.Selected profile Sites.Read.All User.Read",
  "expires_on": "1457343736",
  "not_before": "1457339836",
  "resource": "https://graph.microsoft.com",
  "access_token": "-the token-"
}

Could you please provide request-id and timestamp of your call? — Marek Rycharski
@baparks Could you please show a screenshot of the permissions you added for this to work? AFAIK, the files etc can only be accessed using DELEGATED permissions and not APPLICATION permissions. — Syed Mauze Rehan

Sriram Dhanasekaran-MSFT Sriram Dhanasekaran-MSFT · Accepted Answer · 2016-03-08T06:19:18

It appears that your client application has only requested delegated permissions to Microsoft Graph, whereas application permissions should be requested for the scenario attempted here. Below is an illustration of application permissions section in Azure portal. Please select appropriate permissions needed and retry.

Graph API: Either scp or roles claim need to be present in the token

1 Answers