403 error when calling Graph API endpoint for /users

Question

I'm encountering an error where it looks like my application has no permissions even though I have permitted access to call Microsoft Graph in the App Registration. The graph endpoint I'm trying to reach is: https://graph.microsoft.com/v1.0/users

When I fetch the token for the client it doesn't look like it has any permissions when decoded so it's not a surprise to me that I get a status code of 403, but it's a surprise that it doesn't have any permissions when User.ReadBasic.All should be sufficient.

Here is my process Postman (my app is a Python app that makes the same calls as the Postman example).

In my Python app I'm using the aquire_token_for_client:

from msal import ConfidentialClientApplication
from app.config import Config

client_id = Config.WIManagerClientId
client_secret = Config.WIManagerCertificateKey
authority = Config.AUTHORITY

# Initialize the ConfidentialClientApplication
app_confidential = ConfidentialClientApplication(
    client_id=client_id,
    authority=authority,
    client_credential=client_secret
)

# Acquire a token for client
result = app_confidential.acquire_token_for_client(scopes=['https://graph.microsoft.com/.default'])

Decoded token, where I don't see any "scp": "User.Read User.ReadBasic.All" as I would expect to see: Taken the token and used for the https://graph.microsoft.com/v1.0/users call:

Answer 1

Hello Asger Busk Breinholm,

Thank you for reaching out to Microsoft Support!

The permissions you grant to the app are delegated permissions, so when you obtain the token, you need to use auth code flow. The client credentials flow you use to obtain the tokens is specific to the Application permissions.

See this document for how to get tokens using auth code flow:

https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.