Azure AD Token Issuing Endpoint doesn't return "scope" parameter

Question

I'm querying the Microsoft Graph using a service app as described in this article: http://graph.microsoft.io/en-us/docs/authorization/app_only

I'm successfully able to make the POST request to the tenant-specific URL and get the JSON response specified:

{ 
  "token_type": "Bearer",
  "expires_in": "3599",
  "scope": "User.Read",
  "expires_on": "1449685363",
  "not_before": "1449681463",
  "resource": "https://graph.microsoft.com",
  "access_token": "<token>"
}

except the "scope" parameter is missing. I have all "Office 365 Exchange Online" "Application Permissions" checked in my AD configuration panel. When using the returned token against the Graph API, I'm able to successfully call https://graph.microsoft.com/v1.0/users/ but no other endpoints.

Answer 1

I just had this issue and wanted to elaborate on the answer marked as correct since it is the correct answer but an incomplete solution. If there are no scope parameters, it means that your app is registered, however the admin has not consented to the app accessing your AD instance. Once you register your app, you have to build and go to the following URL to authorize the app (with admin account, of course):

GET https://login.microsoftonline.com/{TenantID}/adminconsent?
client_id=<APP ID>
&state=<This is optional for your app to use>
&redirect_uri=<ReturnURL>

TenantID: comes from Azure portal - if you click on the Help icon in the upper right and then choose 'Show Diagnostics' you can find the tenant id in the diagnostic JSON.

AppID: comes from the Azure portal - when you register your app, you go to the management console and cut/paste

This article has a TON of useful info for people trying to do graph integration.

Answer 2

You need to select the application scopes from the list available in the Microsoft Graph service then have the admin consent