Microsoft Graph scope "Domain.ReadWrite.All"

Question

Why I can't set scope Domain.ReadWrite.All for url like:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_APP_ID&response_type=code&state=12345&response_mode=query&redirect_uri=https%3A%2F%2Flocalhost%3A44331%2F&scope=domain.readwrite.all

does not work.

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_APP_ID&response_type=code&state=12345&response_mode=query&redirect_uri=https%3A%2F%2Flocalhost%3A44331%2F&scope=user.read

works. It works also for directory.readwrite.all and any other, but does not work for domain.readwrite.all. Why so?

Answer 1

Domain.ReadWrite.All is an application scope (client credential flow, aka app-only) and you are trying to have a user consent to that scope in a delegated auth flow.

To use Domain.ReadWrite.All you would need to do admin consent using the admin consent endpoint like this:

GET https://login.microsoftonline.com/{tenant}/adminconsent ?client_id=6731de76-14a6-49ae-97bc-6eba6914391e &state=12345 &redirect_uri=https://localhost/myapp/permissions

Edited: updated to domain.readwrite.all