Reputation: 441
What are the correct scopes in Azure to both retrieve user profile picture and use IMAPS?
I am authenticating a user using OAuth 2.0 with the following scopes:
https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access openid profile
To retrieve the user profile picture I need to call this API endpoint with the access token:
https://graph.microsoft.com/v1.0/me/photo/$value
Unfortunately, this API endpoint only works if I include https://graph.microsoft.com/.default in my scopes. More unfortunately, doing so gives me the following error when logging in:
The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://graph.microsoft.com/.default offline_access openid profile is not valid. .default scope can't be combined with resource-specific scopes.
I cant seem to retrieve the profile with any scope other than the .default scope, but with that scope I cannot use IMAPS and SMTPS, which I need. What is the correct way to be able to do both?
Upvotes: 0
Views: 504
Answers (1)
Reputation: 16109
Note that: I agree with @wenbo, generating access token with two resources or different resource scopes is not supported.
For sample, I generated the access token using same scope as you:
https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access openid profile
When I decoded the access token, the aud will be the scope you are passing first:
Hence here the aud is https://outlook.office.com
When you call Microsoft Graph API https://graph.microsoft.com/v1.0/me/photo/$valueusing the above token you will get error.
Hence, to resolve the error check the below:
- Either generate two access token one for outlook and one for Microsoft Graph API and then call the required APIs.
- Or as a workaround, use the below query:
Grant User.Read Office 365 Exchange Online API permission:
Use the below query to fetch the user profile photo:
GET https://outlook.office.com/api/v2.0/me/photo/$value
Grant type: Authorization code
Callback URL: https://oauth.pstmn.io/v1/callback
Auth URL: https://login.microsoftonline.com/TenantId/oauth2/v2.0/authorize
Token URL : https://login.microsoftonline.com/TenantId/oauth2/v2.0/token
Client ID : ClientID
Client Secret : ClientSecret
Scope: https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send https://outlook.office.com/User.Read
Microsoft suggests using Microsoft Graph API as Outlook rest API will be decommissioned, I have just given it as a workaround. Refer this MsDoc
Upvotes: 1
Related Questions
- What are the proper scopes for create share with control plane api and create file with data plane api at Azure File?
- How to get an access token for IMAP an Outlook contacts?
- JavaMail connecting to Office 365 XOAUTH2 for IMAP Authentication fails
- Which scope use to get the access token for Microsoft credential
- Graph API "get groups" on behalf of signed user results into 403 error with message":"Insufficient privileges to complete the operation
- List azure ad using msgraph-sdk-java
- I can't get email or profile scopes for an Azure B2C application, nor can I call the OIDC UserInfo endpoint
- How to authenticate with Azure Resource Manager using managed identity in C#
- Retrieve Profile picture information using Azure Graph API
- Azure OAuth Login - Was working, now getting AADSTS700022 / AADSTS700023 Errors