SharePoint online OAuth2 token invalid_scope

Question

I am trying to get a Bearer token for my registered Azure AD-App to read all my sharepoint sites via API

I followed the guides from microsoft to a) grant permissions for the app and b get myself a token

so I now a) have all required permissions: and b) received a token when using the scope https://graph.microsoft.com/.default

So here is my issue: when I try to get a token for lets say https://microsoft.sharepoint-df.com/Sites.Read.All:

https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

Body:x-www-form-urlencoded
client_id={appId}
scope=https://microsoft.sharepoint-df.com/Sites.Read.All
client_secret={secret},
grant_type=client_credentials

all I get in return is an error:

"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://microsoft.sharepoint-df.com/Sites.ReadWrite.All is not valid.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: 2019-06-09 07:35:21Z",
"error_codes": [
    70011
],

Am I doing something wrong? I also tried the scope https://{{tenantName}}.sharepoint.com/Sites.Read.All

Answer 1

You are using client credentials flow to get the access token. The scope must be

https://graph.microsoft.com/.default

The value passed for the scope parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the .default suffix. For the Microsoft Graph example, the value is https://graph.microsoft.com/.default. This value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use.

If you must use the specific scope like https://microsoft.sharepoint-df.com/Sites.Read.All You can use auth code grant flow to get the access token.