azure - AccessDenied: Either scp or roles claim need to be present in the token for multi-tenat Application

Question

We have a multi tenant registered application in Azure AD, lets call it Tenant A and we are trying to get access to the resources without the user by graph API. Using following details, We successfully get the Token, if we try to work with resources for example create files or folder on a main tenant (tenant A). But if we run the same code for another tenant for example tenant B (which is one of the tenantA 's tenant), we are getting error: "AccessDenied: Either scp or roles claim need to be present in the token." And indeed there is no roles defined in the token.

I am wondering what I am doing wrong here? Do I need to set permissions/roles for tenantB as well?

url: https://login.microsoftonline.com//oauth2/v2.0/token scope: https://graph.microsoft.com/.default grant_type: client_credentials client_id: client_secret: <tenantA-client_secret>

"{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "date": "2021-02-04T14:28:13", "request-id": "ca4565f7-aa56-4b00-9f46-09884ad39ff6", "client-request-id": "ca456ufo-ab5m-4b99-9f46-09pp4ad39ff6" } } }" scopes for tennat A:

question from:https://stackoverflow.com/questions/66048972/accessdenied-either-scp-or-roles-claim-need-to-be-present-in-the-token-for-mult

Answer 1

You have found the solution, post it as an answer to end the thread:

The admin must confirm the consent that was the whole issue, after confirming the consents by Admin all works as expected.

As you imagine, when you use the multi-tenant application in tenant B, it still has to obtain the consent of the administrator of tenant B for all permissions.