Fixed: “Either scp or roles claim need to be present in the token” Error in Microsoft Graph API

By Microsoft Techy in SharePoint on March 4, 2025March 6, 2025

In this blog post, we will learn how to fix the “Either scp or roles claim need to be present in the token” error in Microsoft Graph API Authentication. While you are testing the Graph API endpoint from the Postman tool or Copilot Studio or from your application, you will get the below error:

When integrating Microsoft Graph API with Azure AD authentication, many developers encounter the error:

For example, I have called the below Graph API endpoint from my Postman tool. Though the token ID is valid, I got the below-mentioned error.

Graph API Endpoint: https://graph.microsoft.com/v1.0/sites/{SITEID}/Drives
{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"date": "2025-02-28T04:41:38",
"request-id": "0d03df1e-365c-4d7f-bc4f-34d4b51c1ac4",
"client-request-id": "0d03df1e-365c-4d7f-bc4f-34d4b51c1ac4"
}
}
}

Access denied - Either scp or roles claim need to be present in the token — Access denied – Either scp or roles claim need to be present in the token

This error typically occurs when the access token does not contain the necessary permissions (scp for delegated permissions or roles for application permissions).

In this article, we will cover:

What causes this error?
How to fix it step by step
Best practices for obtaining the correct access token

This guide applies to scenarios where you need to authenticate Microsoft Graph API using Azure AD OAuth 2.0 token for Copilot Studio, Power Automate, or Postman API testing.

Table of Contents

What Causes the “scp or roles claim” Error?

Microsoft Graph API expects one of the following claims in the JWT access token:

scp (Scope Claim): Used in delegated authentication, meaning a signed-in user is making the request.
roles (Roles Claim): Used in application authentication, meaning a background process or app (without user interaction) is making the request.

If neither claim is present, the request is denied.

Available Fixes in Google: Step-by-Step Guide to Fix the Issue

If you search with this error in google, you will get the following fixes.

Step 1: Verify Your Token in jwt.ms

Before troubleshooting, check if your access token contains the correct claims.

1️⃣ Go to jwt.ms
2️⃣ Paste your access token
3️⃣ Look for either the scp or roles claim under "payload"

If scp is missing, your app lacks delegated permissions.
If roles is missing, your app lacks application permissions.

Step 2: Ensure Correct API Permissions in Azure AD

To fix missing claims, you need to assign the correct API permissions in Azure App Registration.

➡️ If using Delegated Authentication (User-Based Requests)

1️⃣ Go to Azure Portal → Azure Active Directory
2️⃣ Select App Registrations → Your App
3️⃣ Click API Permissions → Add a permission
4️⃣ Select Microsoft Graph → Delegated Permissions
5️⃣ Add required permissions such as:

Sites.Read.All
Sites.Manage.All
Sites.FullControl.All
6️⃣ Click Grant Admin Consent

➡️ If using Application Authentication (App-Only Requests)

1️⃣ Go to Azure Portal → Azure Active Directory
2️⃣ Select App Registrations → Your App
3️⃣ Click API Permissions → Add a permission
4️⃣ Select Microsoft Graph → Application Permissions
5️⃣ Add required permissions such as:

Sites.Read.All
Sites.Manage.All
Sites.FullControl.All
6️⃣ Click Grant Admin Consent

Important: Delegated permissions require a signed-in user, whereas application permissions do not.

Step 3: Request Access Token with Correct Scope

Once permissions are set, you need to obtain a valid OAuth 2.0 access token.

Delegated Authentication (User-Based Requests)

Use the following request in Postman or Power Automate to get an access token:

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}
client_secret={client_secret}
grant_type=authorization_code
scope=https://graph.microsoft.com/.default

The scope parameter ensures the token includes scp.

Application Authentication (App-Only Requests)

Use the following request to get an app-only access token:

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}
client_secret={client_secret}
grant_type=client_credentials
scope=https://graph.microsoft.com/.default

The scope parameter ensures the token includes roles.

Actual Fixes Based on Personal Experience

Whatever the fixes you apply from the above steps, your issue will not go away, straight way you need to change the below Graph API permission type from “Delegated” to “Application”, until a few months back it was working with the delegated permission type but with the Microsoft latest updates, this is not working any more while call your API and generate token code, it has to be changed to application type, then your same API will start working either from Postman or Copilot or Power Automate or any other applications.

API Permissions in Azure App Registration

Now, I have removed the delegated type Graph API permissions and added them to the application permissions type, then granted admin consent.

Follow this navigation to create Graph permission with the application type:

Click on the “+ Add a permission” link. Click on the Microsoft Graph API link. Then for this question: What type of permissions does your application require?

Click on the “Application Permissions.”.

What type of permissions does your application require in Azure

Then, select your needed permissions. For example, I have selected the below permissions:

Sites.Read.All
User.Read.All

Then, grant admin consent; finally, your Graph API permissions should look like below:

Azure Graph API permissions with Application Type

Now, go to your Postman tool, create a new access token, and execute the same endpoint where you were getting the “Either scp or roles claim needs to be present in the token” error. This time, you will not get any more errors, as you can see I got the response “200 OK.”.

Either scp or roles claim need to be present in the token issue fixed

Let us understand what is delegated API permission type and application permission types.

Request API Permissions Types: Delegated vs. Application

In Azure App Registrations, when adding API permissions for Microsoft Graph API (or other APIs), you are asked:

“What type of permissions does your application require?“

This presents two options:
✅ Delegated Permissions
✅ Application Permissions

Let’s understand the difference between them and when to use each.

1️⃣ Delegated Permissions (User-Based Access)

Definition:

Delegated permissions are used when an application acts on behalf of a signed-in user.
The app inherits the user’s permissions and cannot access resources beyond what the user is allowed to access.

Example Use Cases:

A Copilot Studio bot that fetches SharePoint files for a signed-in user.
A Power Automate flow that retrieves a user’s emails from Outlook.
A web application that allows users to sign in and view their Microsoft 365 calendar.

How It Works:

The user signs in to Azure AD.
The app requests an access token on behalf of the user.
The access token includes an scp (scope) claim with the allowed actions.

Example of an Access Token Claim for Delegated Permissions:

Here, User.Read and Files.Read.All mean the app can read user profile and OneDrive files based on the user’s access level.

Key Point: The app can only perform actions that the signed-in user has permission for.

2️⃣ Application Permissions (App-Only Access)

Definition:

Application permissions are used when an app runs without a signed-in user.
The app gets full access to resources (such as SharePoint, Teams, or OneDrive) without requiring user login.

Example Use Cases:

A background service that syncs data between SharePoint and an external database.
A Power Automate scheduled flow that automatically exports SharePoint files.
A reporting tool that pulls all users’ Microsoft 365 usage analytics.

How It Works:

The app authenticates using client credentials (client ID + client secret or certificate).
The access token includes a roles claim instead of scp.

Example of an Access Token Claim for Application Permissions:

Here, Sites.Read.All allows the app to read all SharePoint sites, and Mail.ReadWrite.All allows full access to all mailboxes.

Key Point: The app acts as a fully privileged background process, not as a user.

Comparison Table: Delegated vs. Application Permissions

Feature	Delegated Permissions	Application Permissions
Requires User Sign-In?	✅ Yes	❌ No
Acts on Behalf of User?	✅ Yes	❌ No
Has Full Admin Access?	❌ No (limited by user permissions)	✅ Yes (granted by admin)
Used in Copilot Studio?	✅ Yes	❌ No
Used in Power Automate?	✅ Yes (manual flows)	✅ Yes (background flows)
Use Case Example	A user fetching their SharePoint files	A background process scanning all SharePoint sites
Token Contains?	`scp` (scopes claim)	`roles` (roles claim)
Requires Admin Consent?	✅ Sometimes	✅ Always

When to Choose Delegated vs. Application Permissions?

✅ Use Delegated Permissions When:

Your app requires a signed-in user.
You want to limit access to what the user has access to.
Example: A Copilot Studio bot retrieving a SharePoint file for a logged-in user.

✅ Use Application Permissions When:

Your app runs in the background without user interaction.
You need to access all resources, not just what a specific user can access.
Example: A Power Automate flow that reads all SharePoint sites to generate a report.

How to Add API Permissions in Azure App Registration?

1️⃣ Go to Azure Portal → Azure Active Directory
2️⃣ Click App Registrations → Select Your App
3️⃣ Click API Permissions → Add a Permission
4️⃣ Select Microsoft Graph (or another API like SharePoint)
5️⃣ Choose either:

Delegated Permissions → Select the needed permissions
Application Permissions → Select the needed permissions
6️⃣ Click Grant Admin Consent (Required for Application Permissions)

✅ Done! Your app now has the correct API permissions.

Final Thoughts – Delegated Permissions or Application Permissions?

Delegated Permissions = Used for apps that act on behalf of a user.
Application Permissions = Used for background apps that run without a user.
Admin consent is required for application permissions and some delegated permissions.

Understanding the difference is key to successfully integrating Microsoft Graph API, Power Automate, and Copilot Studio!

Conclusion

Thus, in this article, we have learned how to fix the 403 forbidden access denied error or “Either scp or roles claim need to be present in the token.” in Azure App registration and the Postman tool.

The "Either scp or roles claim need to be present in the token" error is common when working with Microsoft Graph API in Copilot Studio, Power Automate, or Azure App Services.

✅ Summary of Fixes:

1️⃣ Decode the token using jwt.ms and check scp or roles.
2️⃣ Add correct API permissions in Azure AD and grant admin consent.
3️⃣ Use the correct OAuth flow (Delegated vs Application).
4️⃣ Validate the token and test API calls using Postman or Graph Explorer.

By following these steps, you can successfully authenticate and call Microsoft Graph API without permission errors.

Have questions or need help? Drop a comment below!

YouTube Video Demo:

About Post Author

Microsoft Techy

As a SharePoint and Power Platform Maven, my greatest joy comes from sharing my expertise with colleagues, friends, and the tech community, helping them navigate the ever-evolving world of technology and guiding them through the dynamic landscape of modern technology.

See author's posts

Related

Tags: API request, App registration, Azure Portal, Graph API, Postman Tool

Do you have a better solution or question on this topic? Please leave a commentCancel reply

Contact Us: support@global-sharepoint.com | Support this site| Privacy Policy| Sitemap

Copyright © 2025 Global SharePoint. All rights reserved.