Unable to upload file to OneDrive via Teams bot due to "scp or roles claim" error message

Question

I am currently working on a Microsoft Teams bot that aims to upload files to OneDrive in order to share the URL with a user based on a chat request. However, I'm facing a recurring issue with the error message "Either scp or roles claim need to be present in the token."

Here's a breakdown of what I'm doing and the steps I've taken:

Step 1: Initial Authentication Request

I initiate the authentication process with the following POST request:

POST /<MY TENANT ID>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Authorization: Bearer <MY ACCESS TOKEN>

grant_type=client_credentials&client_id=<MY APP ID>&client_secret=<MY APP PASSWORD>&resource=https%3A%2F%2Fgraph.microsoft.com

This successfully returns a bearer access token that I use for further interactions.

Step 2: File Upload Request

With the access token in hand, I proceed to upload a plaintext file containing just the content "Hello world". Here's the POST request I'm using:

POST /v1.0/drive/root:/filename.txt:/content HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <MY ACCESS TOKEN>
Content-Type: text/plain

hello_world

However, the response that I'm getting is:

{"error": {"code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": {"date": "2023-08-11T20:51:52", "request-id": "e7bb0afc-d6ce-348e-b6cf-7cba046e70b4", "client-request-id": "e7bb0afc-d6ce-4f07-b6cf-7cba046e7222"}}}

My questions are:

1. Are the missing permissions in my initial authentication request or within the bot's configuration in Azure?
2. If the permissions need to be set in the bot's Azure configuration, what specific permissions are missing? The error message mentions "scp or roles claim," and I'm unsure what this actually means. Does this mean "scp" and/or "roles" need to be in my initial authentication request, or am I misinterpreting that?

Answer 1

The error usually occurs if you miss adding required API permission in the app registration or missed granting admin consent to it.

I registered one Azure AD application and added Files.ReadWrite.All permission of Application type by adding consent:

Now, I generated access token using client credentials flow via Postman with below parameters:

POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:client_credentials
client_id: appID
client_secret: secret 
scope: https://graph.microsoft.com/.default

Response:

To check whether the token has permission or not, you can decode it by pasting the token in jwt.ms and find roles claim in it:

Now, use below PUT request to upload a plaintext file containing just the content "Hello world" by including userID in it:

PUT https://graph.microsoft.com/v1.0/users/<userID>/drive/root:/srifile.txt:/content
Authorization: Bearer <MY ACCESS TOKEN>
Content-Type: text/plain

hello_world

Response:

To confirm that, I checked the same in user's OneDrive where file created successfully like below:

When I opened above text file, it has hello_world in it: