InteractiveBrowserCredential authentication failed: AADSTS70011: The provided value for the input parameter 'scope' is not valid
I am trying to increase access token lifetime by following MsDocs.
For that I have installed powershell in ubuntu.
I have installed Microsoft Graph PowerShell SDK. And following commands.
But on command:
Connect-MgGraph
-Scopes "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"
I Microsoft page opens, After login page shows error:
Authentication failed. You can return to the application. Feel free to close this browser tab.
Error details: error invalid_scope error_description: The provided value for the input parameter 'scope' is not valid. The scope 'Policy.ReadWrite.ApplicationConfiguration Policy.Read.All Application.ReadWrite.All openid profile offline_access' does not exist.
Also Terminal shows similar error:
Connect-MgGraph: InteractiveBrowserCredential authentication failed: The provided value for the
input parameter 'scope' is not valid. The scope 'Policy.ReadWrite.ApplicationConfiguration
Policy.Read.All Application.ReadWrite.All openid profile offline_access' does not exist.
I have copied command from MsDocs still show this error.
I am integrating outlook in my application. I have created application on azure and I am trying to change token lifetime for that. I am trying to login with the same account I used to create application on azure.
UPDATE:
As per @Sridevi's answer, I have added permissions, But how do I grant consent for that.
And trying to create user in azure portal, I got this error.
Initially, I installed PowerShell 7.4.1 version in my Ubuntu 20.04.6:
$PSVersionTable
When I tried to sign in with personal Microsoft (Outlook) account while connecting to Microsoft Graph, I too got same error:
Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"
Response:
As mentioned in this MS Doc, creating token lifetime policy using personal Microsoft (Outlook) accounts is not supported.
To resolve the error, you need to sign in with local tenant user account with admin access that ends with .onmicrosoft.com :
After accepting consent to the permissions, I connected to Microsoft Graph successfully with below response:
Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"
Response:
Alternatively, you can also connect to Microsoft Graph as a service principal by passing client ID and client secret that does not involve any user interaction.
I registered one application and granted API permissions of Application type by granting consent like this:
To connect Microsoft Graph as a service principal via PowerShell, you can make use of below sample script:
$appId= "appId"
$secret = "client_secret"
$tenantID = "tenantId"
$securedSecret = ConvertTo-SecureString -String $secret -AsPlainText -Force
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appId, $securedSecret
Connect-MgGraph -TenantId $tenantID -ClientSecretCredential $ClientSecretCredential
Response:
Now, you can run remaining script to create token lifetime policy like this:
# Create a token lifetime policy
$params = @{
Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}')
DisplayName = "WebPolicyScenario"
IsOrganizationDefault = $false
}
$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id
# Display the policy
Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
Response:
