Microsoft Graph API - new delegated permission removing application permissions

Question

I'm using the v1 Azure AD auth URLs (/common/oauth2/authorize) for a multi-tenant app that requires admin_consent.

I've attempted to add a new scope Directory.AccessAsUser.All. It is the first 'delegated' permission I'm requesting when all my other scopes are 'application' level permissions.

When I added that new delegated scope and prompted the admin to re-consent, the other scopes disappeared from the returned AccessToken and the responses scope parameter. Only Directory.AccessAsUser.All is present in the access_token scp field.

Is there any reason this behavior would occur? I'm positive that we are promoting for admin_consent and that an admin is the one consenting.

Answer 1

The scopes specified in the scp will depend on which OAUTH flow you used to obtain the token. You cannot have a single access_token with both Delegated and Application scopes.

• Application scopes are applied when using the Client Credentials flow (client_credentials).

• Delegated scopes are applied when using either Authorization Code or Implicit flows (authorization_code or implicit).

Update: I've written a more in-depth post about this topic that might help folks facing similar issues: Application vs Delegated Scopes.