Assigning app role to Partner Center consented application not available in access token's scope
I am currently creating an integration with Microsoft Partner Center utilizing GDAP.
The current flow I have is:
- An admin (either Global Admin, Cloud Apps Administrator, or Application Admin) consents to a basic application (scopes include
DelegatedAdminRelationship.Read.Alland Partner Center'suser_impersonation) - Using the refresh token from the consent, obtain an access token to the Partner Center API and perform an admin consent for each of the delegated tenant relationships. This consent includes basic scopes for the Graph API like
Directory.Read.All,UserAuthenticationMethod.Read.All, etc.
The problem lies herein that the admin consents are delegated permissions. I need an application permission for the MailboxSettings.Read scope in order to determine if an inbox is shared.
I understand the flow would be something like:
- Grant delegated permission via admin consent like above
- Assign app roles to the service principal that gets installed from the consent
- Obtain new access token and perform operations as needed
The app roles are being added correctly via the following
POST https://graph.microsoft.com/v1.0/servicePrincipals/:spId/appRoleAssignedTo
{
"principalId":"a-b-c-d", // My app's service principal in the tenant
"resourceId":"e-f-g-h", // Microsoft Graph's service principal in the tenant
"appRoleId":"40f97065-369a-49f4-947c-6a255697ae91" // this is MailboxSettings.Read
}
I can see them in the tenant's Azure 
However, when I obtain the new access token (by using a refresh token) those added app roles are not in list of scopes, just the delegated permissions. So that token does not let me read mailbox settings as example:
{
"error": {
"code": "NoUserFoundWithGivenClaims",
"message": "The user specified by the user-context in the token does not exist.",
"innerError": {
"oAuthEventOperationId": "--",
"oAuthEventcV": "--",
"errorUrl": "https://aka.ms/autherrors#error-InvalidUser",
"requestId": "--",
"date": "2024-01-11T18:15:50"
}
}
}
What am I missing?
Immediately after posting this I figured out the solution. If you are using grant_type: refresh_token to obtain your access token, this will only ever return delegated permissions. In order to use my app roles (application permissions) I needed to use grant_type: client_credentials.
Note: client_credentials access token will only return application permissions. So to effectively use both sets of permissions you will either need two access tokens, or use app roles for all the permissions. I went with the former so ensure I only use the scopes when needed.
- Microsoft Graph: How to filter users by domain name
- Blazor app hangs after request MS Graph Me.GetAsync()
- Graph API: Either scp or roles claim need to be present in the token
- How do I authorize a Python script to upload to SharePoint Online?
- Cannot fetch the customSecurityAttributes data from Entra ID user Profile using Microsoft Graph API in Dotnet Webapi
- How can I change default tenant in Microsoft Graph Explorer
- PnP Framework assign Permission to the SharePoint Using PowerCell
- How to access a group calendar using Microsoft Graph Api?
- getting color off calendar in microsoft graph api in calendarview
- Adding Students with the API and Class Notebook
- How to find the delay when I reset a password using Microsoft's Graph API?
- GraphServiceClient filter issue
- Verify Microsoft Access token on my ASP.NET Core Web API
- Microsoft Graph: List all users and their groups in one request
- How to handle scalability when sending DM with BotFramework
- How can I add email recipients to a Graph API request programmatically?
- Microsoft Identity Web: Change Redirect Uri
- Azure graph api to search groups whose displayName contains a specific term
- I am getting an error that OAuth2 Code has already been redeemed
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Access OneDrive Directories and files using MSGraph API with client Authentication
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Upload a file using msgraph Python SDK
- How can I use msgraph Python SDK to properly list or get files from OneDrive?
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- Get-MgUserCalendar fails with "The specified object was not found in the store." for my own calendar
- How to get all the files in OneDrive account using the graph SDK?
- Microsoft Graph API fails to update user birthday and hireDate in GCC high environment
- Looking for a Microsoft Graph API that can update device ownership of a deivce
- Is there an easy way to display the profile image from graph api in a react application