Microsoft Graph scopes v2 oauth

Question

I'm trying to build a simple Ruby application that can connect to the Microsoft Graph API and get basic information about the user, for example the manager or direct reports.

I've followed a 0365-tutorial and i've got a working app that is able to get a user's mail. However when I try to then use the session tokens to query the graph api, i get an error:

response.body
=> "{\r\n  \"error\": {\r\n    \"code\": \"InvalidAuthenticationToken\",\r\n    \"message\": \"Access token validation failure.\",\r\n    \"innerError\": {\r\n      \"request-id\": \"18cbc6be-5254-400c-9780-7427376587fb\",\r\n      \"date\": \"2016-06-30T22:21:55\"\r\n    }\r\n  }\r\n}" 

I'm using scopes

SCOPES = [ 'openid', 'profile', 'https://outlook.office.com/contacts.read', 'offline_access' ] 

I've just been suggested to include the scope 'https://graph.microsoft.com/user.read', but when i add this to the application i get the following error before even hitting the user login page:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope openid profile offline_access https://graph.microsoft.com/user.read is not valid.

Any help on this would be appreciated!

Answer 1

Ok. The problem is that you are including scopes for both Outlook (the https://outlook.office.com/contacts.read scope) and Graph (the https://graph.microsoft.com/user.read scope). Unfortunately Azure's authorization endpoint doesn't support mixing scopes like that. You can either remove the Outlook scope (assuming you don't need it), or change it to the Graph equivalent: https://graph.microsoft.com/contacts.read (if you need to access the logged on user's personal contacts).