Search code examples

Error when Posting or patching EducationClass with MSGraph

I'm trying to POST or PATCH an education class using Microsoft Graph but always get and error.

  "description": "Health Level 1",
  "classCode": "Health 501",
  "displayName": "Health 1",
  "externalId": "11019",
  "externalName": "Health Level 1",
  "externalSource": "sis",
  "mailNickname": ""


  "code": "AccessDenied",
  "message": "Required scp claim values are not provided.",
  "innerError": {
    "request-id": "e1183015-d942-491a-9949-4aa73bbef893",
    "date": "2018-06-21T08:44:35"

My App has the needed permissions for creating an education class. (for testing, my app has all the application and delegated permissions possible). Posting users, groups etc is no problem.

App Permissions

More specific the needed permission: Roster permission

After assigning the permission in the AD portal I did the following:

  • Get admin consent for the app

  • Get the authorization code

  • Get the access token

All with success. After getting the Access Token I have the following scopes:

  • .....
  • EduRoster.Read
  • EduRoster.ReadBasic
  • EduRoster.ReadWrite
  • ...

The Graph documentation says you need the permission Application EduRoster.ReadWrite.All

Also tested a POST and PATCH in Graph Explorer but get the same response.


  • This API requires "Application" rather than "Delegated" scopes. As you mentioned, it specifically requires the EduRoster.ReadWrite.All scope.

    Which scopes get applied to a token depends entirely on which OAuth Grant you used to obtain the token:

    • Authorization Code Grant = Delegated
    • Implicit Grants = Delegated
    • Client Credentials Grant = Application

    The reason you're not getting this scope in your Access Token is that you're using the Authorization Code grant (response_type=code) which will always result in Delegated scopes getting assigned.

    In order to make this call, you'll need to obtain a token using the Client Credentials grant.

    You might also find this article helpful (full disclosure, I am the author): Application vs Delegated Scopes.