microsoftgraph oauth2 scope

Question

I'm trying to read/write events from office365 calendar using microsoftgraph api. I cant seem to get the correct scope, I only get user.read when I need calendar.readwrite. here is my code request, I have tried adding scope and I have calendar.readwrite defined in the permissions in the registration portal but always I only get user.read. when I get an access token.

https://login.microsoftonline.com/common/oauth2/authorize?
client_id={CLIENT_ID}&
response_type=code&
redirect_uri=https://localhost&
state=985542

how do I increase the scope of my application?

Answer 1

It is possible that your application is in a state where you have consent for the user.read scope, but not the calendar.readwrite scope.

Specifically, my guess is that you registered your app with only the user.read scope, and then consented to the app. This worked, and your tokens started getting the user.read scope. Then at a later time, you added the additional permission for calendar.readwrite, however you do not see it in the token!

That is because you have not re-consented to the application, with the new scope. If you change the permission levels of your application, you must also re-consent to the new application. If you do not, you will continue to get the permissions that you have consented to in the past, regardless of what they were.

To fix this, simply add &prompt=consent at the end of your login url, which will force the user to consent to the new set of permissions.

This happens because our token service first checks if there are EntitlementGrants written between the user and the application. If there are, they will skip all the consent processes, and just jump to minting the token. If you were to delete the consent record, or force the user to consent again, we will start the process from scratch, which will result in all the permissions you have selected.

Let me know if this helps!