Microsoft Graph API 角色声明未在令牌中但已添加应用程序权限

Question

I'm attempting to connect to the Microsoft Graph API to use an excel function, as a server to server connection/flow. https://learn.microsoft.com/en-us/graph/excel-use-functions

In Azure AD I've built the registered application:

I've created the secret...and also added the API Permissions.

In Postman, I'm able to get the token fine.....but I notice that roles are not included in the token. Here's the request:

And then when I make a request to the excel function of RATE I get this error:

{
    "error": {
        "code": "AccessDenied",
        "message": "Either scp or roles claim need to be present in the token.",
        "innerError": {
            "date": "2021-08-17T14:31:04",
            "request-id": "b0d65e3c-4acd-4a8a-82c4-1c4c5f2216ac",
            "client-request-id": "b0d65e3c-4acd-4a8a-82c4-1c4c5f2216ac"
        }
    }
}

Every post I still on here mentions API permissions and granting consent as Admin....which I have completed but I'm still getting the error. Any thoughts?

Answer 1

Please check if there is any claims mapping policy linked to the application service principal.

1. Navigate to Azure Active Directory > Enterprise Applications > Search with the Client ID you used in your token request > copy the object ID of the app. Keep in mind that this object id is different than the object ID of the application object present under App Registration.
2. Run Get-AzureADServicePrincipalPolicy -Id object_id_copied_in_step_1 | fl Get-AzureADServicePrincipalPolicy -Id object_id_copied_in_step_1 | fl to check if there is any claims mapping policy linked.
3. If there is a cliams mapping policy linked to it, run Remove-AzureADServicePrincipalPolicy to remove the policy.

Decode your bearer token at https://jwt.ms to confirm if the Roles claim is populated or not. SCP claim will not be populated in this case, as it only populates when the token is acquired under user context.