using MSAL with a scope in Microsoft.Graph.API still gives me the default scopes in PowerShell

Question

Hi all I'm trying to connect to Microsoft Graph API through PowerShell. I'm using a scope, and everything seems fine, even Fiddler shows the correct scopes, yet I get all scopes in my token.

I use the MSAL assembly: Microsoft.Identity.Client.dll

Script I run:

$ApplicationID = XXXXXX
$Tenant = XXXXXX
$RedirectUri XXXXXX//:auth
    
$Builder = [Microsoft.Identity.Client.PublicClientApplicationBuilder]::Create($ApplicationID).WithTenantId($Tenant).WithRedirectUri($RedirectUri).Build()
$Delegate = $Builder.AcquireTokenInteractive($global:Scope).ExecuteAsync()

Fiddler shows this as scope: https://graph.microsoft.com/User.Read openid profile offline_access

Yet all of the default scopes are in my token:

$Delegate.result.scopes
email
openid
profile
https://graph.microsoft.com/AccessReview.Read.All
https://graph.microsoft.com/AccessReview.ReadWrite.All
https://graph.microsoft.com/AccessReview.ReadWrite.Membership
https://graph.microsoft.com/AdministrativeUnit.Read.All
https://graph.microsoft.com/AdministrativeUnit.ReadWrite.All
https://graph.microsoft.com/Analytics.Read
https://graph.microsoft.com/Application.Read.All
https://graph.microsoft.com/Application.ReadWrite.All
https://graph.microsoft.com/AppRoleAssignment.ReadWrite.All
https://graph.microsoft.com/AuditLog.Read.All
https://graph.microsoft.com/Calendars.Read
https://graph.microsoft.com/Calendars.Read.Shared
https://graph.microsoft.com/Calendars.ReadWrite
https://graph.microsoft.com/Calendars.ReadWrite.Shared
https://graph.microsoft.com/Channel.Create
https://graph.microsoft.com/Channel.Delete.All
https://graph.microsoft.com/Channel.ReadBasic.All
https://graph.microsoft.com/ChannelMember.Read.All
https://graph.microsoft.com/ChannelMember.ReadWrite.All
https://graph.microsoft.com/ChannelMessage.Delete
https://graph.microsoft.com/ChannelMessage.Edit
https://graph.microsoft.com/ChannelMessage.Read.All
https://graph.microsoft.com/ChannelMessage.Send
https://graph.microsoft.com/ChannelSettings.Read.All
https://graph.microsoft.com/ChannelSettings.ReadWrite.All
https://graph.microsoft.com/Chat.Read
https://graph.microsoft.com/Chat.ReadBasic
https://graph.microsoft.com/Chat.ReadWrite
https://graph.microsoft.com/ChatMessage.Send
https://graph.microsoft.com/Contacts.Read
https://graph.microsoft.com/Contacts.Read.Shared
https://graph.microsoft.com/Contacts.ReadWrite
https://graph.microsoft.com/Contacts.ReadWrite.Shared
https://graph.microsoft.com/DelegatedPermissionGrant.ReadWrite.All
https://graph.microsoft.com/Device.Command
https://graph.microsoft.com/Device.Read
https://graph.microsoft.com/Device.Read.All
https://graph.microsoft.com/DeviceManagementApps.Read.All
https://graph.microsoft.com/DeviceManagementApps.ReadWrite.All
https://graph.microsoft.com/DeviceManagementConfiguration.Read.All
https://graph.microsoft.com/DeviceManagementConfiguration.ReadWrite.All
https://graph.microsoft.com/DeviceManagementManagedDevices.Read.All
https://graph.microsoft.com/DeviceManagementManagedDevices.ReadWrite.All
https://graph.microsoft.com/DeviceManagementRBAC.Read.All
https://graph.microsoft.com/DeviceManagementRBAC.ReadWrite.All
https://graph.microsoft.com/DeviceManagementServiceConfig.Read.All
https://graph.microsoft.com/DeviceManagementServiceConfig.ReadWrite.All
https://graph.microsoft.com/Directory.AccessAsUser.All
https://graph.microsoft.com/Directory.Read.All
https://graph.microsoft.com/Directory.ReadWrite.All
https://graph.microsoft.com/Domain.Read.All
https://graph.microsoft.com/Domain.ReadWrite.All
https://graph.microsoft.com/EAS.AccessAsUser.All
https://graph.microsoft.com/EWS.AccessAsUser.All
https://graph.microsoft.com/Files.Read
https://graph.microsoft.com/Files.Read.All
https://graph.microsoft.com/Files.Read.Selected
https://graph.microsoft.com/Files.ReadWrite
https://graph.microsoft.com/Files.ReadWrite.All
https://graph.microsoft.com/Files.ReadWrite.AppFolder
https://graph.microsoft.com/Files.ReadWrite.Selected
https://graph.microsoft.com/Group.Read.All
https://graph.microsoft.com/Group.ReadWrite.All
https://graph.microsoft.com/GroupMember.Read.All
https://graph.microsoft.com/GroupMember.ReadWrite.All
https://graph.microsoft.com/IdentityProvider.Read.All
https://graph.microsoft.com/IdentityProvider.ReadWrite.All
https://graph.microsoft.com/IdentityRiskEvent.Read.All
https://graph.microsoft.com/IdentityRiskEvent.ReadWrite.All
https://graph.microsoft.com/IdentityRiskyUser.Read.All
https://graph.microsoft.com/IdentityRiskyUser.ReadWrite.All
https://graph.microsoft.com/IdentityUserFlow.Read.All
https://graph.microsoft.com/IdentityUserFlow.ReadWrite.All
https://graph.microsoft.com/IMAP.AccessAsUser.All
https://graph.microsoft.com/InformationProtectionPolicy.Read
https://graph.microsoft.com/Mail.Read
https://graph.microsoft.com/Mail.Read.Shared
https://graph.microsoft.com/Mail.ReadBasic
https://graph.microsoft.com/Mail.ReadWrite
https://graph.microsoft.com/Mail.ReadWrite.Shared
https://graph.microsoft.com/Mail.Send
https://graph.microsoft.com/Mail.Send.Shared
https://graph.microsoft.com/MailboxSettings.Read
https://graph.microsoft.com/MailboxSettings.ReadWrite
https://graph.microsoft.com/Member.Read.Hidden
https://graph.microsoft.com/OnPremisesPublishingProfiles.ReadWrite.All
https://graph.microsoft.com/Organization.Read.All
https://graph.microsoft.com/Organization.ReadWrite.All
https://graph.microsoft.com/OrgContact.Read.All
https://graph.microsoft.com/Place.Read.All
https://graph.microsoft.com/Policy.Read.All
https://graph.microsoft.com/Policy.Read.ConditionalAccess
https://graph.microsoft.com/Policy.Read.PermissionGrant
https://graph.microsoft.com/Policy.ReadWrite.ApplicationConfiguration
https://graph.microsoft.com/Policy.ReadWrite.AuthenticationFlows
https://graph.microsoft.com/Policy.ReadWrite.AuthenticationMethod
https://graph.microsoft.com/Policy.ReadWrite.Authorization
https://graph.microsoft.com/Policy.ReadWrite.ConditionalAccess
https://graph.microsoft.com/Policy.ReadWrite.ConsentRequest
https://graph.microsoft.com/Policy.ReadWrite.DeviceConfiguration
https://graph.microsoft.com/Policy.ReadWrite.FeatureRollout
https://graph.microsoft.com/Policy.ReadWrite.PermissionGrant
https://graph.microsoft.com/Policy.ReadWrite.TrustFramework
https://graph.microsoft.com/PrivilegedAccess.Read.AzureAD
https://graph.microsoft.com/PrivilegedAccess.Read.AzureADGroup
https://graph.microsoft.com/PrivilegedAccess.Read.AzureResources
https://graph.microsoft.com/PrivilegedAccess.ReadWrite.AzureAD
https://graph.microsoft.com/PrivilegedAccess.ReadWrite.AzureADGroup
https://graph.microsoft.com/PrivilegedAccess.ReadWrite.AzureResources
https://graph.microsoft.com/ProgramControl.Read.All
https://graph.microsoft.com/ProgramControl.ReadWrite.All
https://graph.microsoft.com/Reports.Read.All
https://graph.microsoft.com/RoleManagement.Read.All
https://graph.microsoft.com/RoleManagement.Read.Directory
https://graph.microsoft.com/RoleManagement.ReadWrite.Directory
https://graph.microsoft.com/SecurityEvents.Read.All
https://graph.microsoft.com/ServiceHealth.Read.All
https://graph.microsoft.com/ServiceMessage.Read.All
https://graph.microsoft.com/Sites.FullControl.All
https://graph.microsoft.com/Sites.Manage.All
https://graph.microsoft.com/Sites.Read.All
https://graph.microsoft.com/Sites.ReadWrite.All
https://graph.microsoft.com/SMTP.Send
https://graph.microsoft.com/Subscription.Read.All
https://graph.microsoft.com/Team.Create
https://graph.microsoft.com/Team.ReadBasic.All
https://graph.microsoft.com/TeamMember.Read.All
https://graph.microsoft.com/TeamMember.ReadWrite.All
https://graph.microsoft.com/TeamMember.ReadWriteNonOwnerRole.All
https://graph.microsoft.com/TeamsTab.ReadWrite.All
https://graph.microsoft.com/TermStore.Read.All
https://graph.microsoft.com/TermStore.ReadWrite.All
https://graph.microsoft.com/ThreatAssessment.ReadWrite.All
https://graph.microsoft.com/ThreatIndicators.Read.All
https://graph.microsoft.com/ThreatIndicators.ReadWrite.OwnedBy
https://graph.microsoft.com/TrustFrameworkKeySet.Read.All
https://graph.microsoft.com/TrustFrameworkKeySet.ReadWrite.All
https://graph.microsoft.com/User.Export.All
https://graph.microsoft.com/User.Invite.All
https://graph.microsoft.com/User.ManageIdentities.All
https://graph.microsoft.com/User.Read
https://graph.microsoft.com/User.Read.All
https://graph.microsoft.com/User.ReadBasic.All
https://graph.microsoft.com/User.ReadWrite
https://graph.microsoft.com/User.ReadWrite.All
https://graph.microsoft.com/UserActivity.ReadWrite.CreatedByApp
https://graph.microsoft.com/UserAuthenticationMethod.Read
https://graph.microsoft.com/UserAuthenticationMethod.Read.All
https://graph.microsoft.com/UserAuthenticationMethod.ReadWrite
https://graph.microsoft.com/UserAuthenticationMethod.ReadWrite.All

It looks like it still loads the .default scopes. Don't worry it's a test env ;-).

Is it because of one of these in the scope? email openid profile

Following your script with a fresh app registration the scopes I received were email, openid, profile, and user.read. The first two things I'm curious about is the version of Microsoft.Identity.Client.dll you are using and what, if any, delegated permissions the app registration has. — SamaraSoucy

Alfredo R Alfredo R · Accepted Answer · 2020-12-31T00:21:02

This is by design: To prevent extra calls to the server on incremental consent, AAD returns all consented scopes on the response (for that resource).

using MSAL with a scope in Microsoft.Graph.API still gives me the default scopes in PowerShell

1 Answers