0

I am using msal-node to get oauth access tokens. In my code, I have the following scopes:

scopes: [
    "https://graph.microsoft.com/People.Read.All",
    "https://graph.microsoft.com/Channel.Create",
    "https://graph.microsoft.com/ChannelMessage.Send",
    "https://graph.microsoft.com/Calendars.Read",
    "offline_access",
    "email",
    "openid",
    "profile"
]

When I generate the consent page URL, it does include all of these in the path, and I have them configured in the app registration on Azure:

enter image description here

However, when I actually see the consent page as the user, I do not see all of the scopes: enter image description here

I expected that the scopes I'm shown on the consent page would reflect the scopes in my code. I can control the "Calendars.Read" scope by including or removing it in my code, but none of the others ever appear. I have tried manually revoking the app's permission, to make sure that the existing consent is not causing conflicts with the new request, but it makes no difference.

Am I missing some necessary step to allow the app to request those permissions?

Datguy
  • 61
  • 7

1 Answers1

0

The reason is that the scopes the user is asked to consent to are also dependent on the type of account the user has. For example, if you look at the Graph API documentation for creating channels, you will see this table:

enter image description here

In this case, a user who signs in to the consent page with a personal Microsoft account will not be shown the permission corresponding to the Channel.Create scope, because that scope is only supported for work or school accounts. The same is true of ChannelMessage.Send and People.Read.All. The people API does allow People.Read for both types of users, however, so that may be a useful alternative in this case.

Datguy
  • 61
  • 7