Microsoft Universal Print: The token does not have one or more required security scopes. Client Credentials Flow

Oskar Berntorp (Novotek Sweden) 10

Hi,

I am working with a solution where a client needs to use Microsoft Universal Print. I am using Microsoft Graph and the client credentials flow. After getting the access token via the credentials instance I have the following error upon making a request to the Graph api: The token does not have one or more required security scopes..

Using the jwt debugger bellow I see no roles claim that I have understood that it should contain.

Questions:

1, Do anyone have a tip on how to overcome this problem?

2, If I understand the documentation of GetTokenAsync correctly the result is cached in the cliet on created with the clientSecretCredential as input?

3, I should not need to assign the token anywhere (the client or options object does not contain any property for it as I understand)?

Bellow is an example of the code that creates a Microsoft graph client. Please note that I do call GetAccess token also just for myself to be able to compare the tokens, just to make sure there are no difference then it comes to the roles claim.

public MicrosoftGraphClient()

{

    try

    {

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: Configuring Graph client, tenantId {azureTenantId} clientId {azureClientId}");

        //accessToken = GetAccessToken();

        var scopes = new[] { "https://graph.microsoft.com/.default" };

        // Multi-tenant apps can use "common",

        // single-tenant apps must use the tenant ID from the Azure portal

        // using Azure.Identity;

        var options = new ClientSecretCredentialOptions

        {

            AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,

        };

        // https://learn.microsoft.com/dotnet/api/azure.identity.devicecodecredential

        var clientSecretCredential = new ClientSecretCredential(azureTenantId, azureClientId, azureClientSecret, options);

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: Got Token {clientSecretCredential.GetTokenAsync(new Azure.Core.TokenRequestContext(scopes)).Result.Token}");

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: Got Token {GetAccessToken()}");

        GraphClient = new GraphServiceClient(clientSecretCredential, scopes);

        FileLogger.LogToFile($"MicrosoftGraphClient constructor: The Graph Client were successfully configured and created");

    }

    catch (Exception e)

    {

        FileLogger.LogToFile("Error in" + " " + "MicrosoftGraphClient constructor the Graph client was not created for the following reason:" + " " + e.Message + " " + "InnerException" + " " + e.InnerException + " " + "Exception Details" + " " + e);

    }

}

When I decode the token in the JWT decoder here:

JWT Debugger azurewebsites.net

JWT Debugger

azurewebsites.net

JWT DebuggerJWT DebuggerJWT Debugger JWT DebuggerJWT Debugger JWT Debugger JWT Debugger azurewebsites.net azurewebsites.net

Kindly

Oskar Berntorp

Kristian Falk 26 Reputation points

2024-09-20T07:43:59+00:00

It's not a solution for your problem but I experience the same thing. When using client credentials I get a 403 with "The token does not have one or more required security scopes". The same code works just fine when I log in as a person. I also have all the Application API permissions set in the application in Entra ID and they are granted with admin consent for the tenant.

My token is also missing any groups claim.
Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-25T14:47:25.46+00:00

Hi @Kristian Falk ,

Did you maybe mean roles claim, or do you mean that you are missing both the groups claim and the roles claim?

2 answers

Yakun Huang-MSFT 6,570 Reputation points Microsoft Vendor

2024-09-20T07:26:49.38+00:00

Hi @Oskar Berntorp (Novotek Sweden)

For this error, which is caused by insufficient permissions, you need to grant the appropriate application permissions to the application in Azure AD. You can do this in Azure, as shown below:

The exact permissions depend on the endpoint you need to access.

See this document for more information about client credentials flows.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Please sign in to rate this answer.
Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-24T12:38:28.63+00:00

Hi @Yakun Huang-MSFT ,

I have tested to set different permissions as well as that I have admin consent, but the roles claim is still missing. So from my perspective, the permissions seems right, but I have no roles claim. When this error is shown, what are the permissions needed, is there a link that specifies them? I have followed these bellow steps: 1. Create a print job and store the resulting document ID.1. Create an uploadSession for the document.

Upload bytes to the created upload session.

Start the print job.

Regards Oskar

Kristian Falk 26 Reputation points

2024-09-24T12:52:53.0333333+00:00

I have done some digging, since I have the same problem, and I believe this is how it works:

When using client credentials you do not get any role claims in the token. The permissions is handled in the API in runtime when the claim is "https://graph.microsoft.com/.default"

For me the problem is in the API:s. It turns out that most of the API:s in Universal Print only is available when using Delegated access, not Application access. Even if you can add the permissions in Entra, the API will not accept them.

For example POST /print/shares/{printerShareId}/jobs/{printJobId}/start seems to be available since you can add "PrintJob.ReadWrite.All" as an API permission in Entra, but it's not supported in the API.

Basically, it seems like it's impossible as of today to create print jobs from an Application, it's only available on behalf of a logged in user.

It was previously possible to use the ROPC flow, i.e. authenticate the application as an user with username and password, but this functionality has been removed in MSAL.NET.

Check this out for understanding the actual permissions in the API:

https://graphpermissions.merill.net/permission/PrintJob.Create?tabs=apiv1%2Cprinter1

BR

Kristian Falk

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-24T13:45:07.05+00:00

Hi @Kristian Falk ,

I changed to using the DeviceCredentialFlow, but despite logging in, the jwt token does not contain the roles claim. did it for you? I should say that the permissions are set.

If you where successfull with the DeviceCredentialFlow, what permissions did you need to set, or did you do any further configuration?

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-24T13:48:55.59+00:00

Despite using the DeviceCredentialFlow, I still get the error about missing security scopes, the token had still no roles claim. If this did solve your problem (using the DeviceCredentialFFlow) Did you need any further configuration changes in Azure and what permissions did you need?

Kristian Falk 26 Reputation points

2024-09-24T15:26:37.5366667+00:00

When I log in as myself i get the correct permissions in the "scp" claim.

All the Universal Print API:s also works as expected in Graph Explorer.

The basic problem is that the appropriate API:s aren't available without Delegated access.

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-25T11:15:36.3133333+00:00

Is there any other possible solution to this, as I have tested logging in as myself, using DeviceCredentialFlow.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-25T11:32:35.0466667+00:00
Hi @Yakun Huang-MSFT ,

I have tested to set different permissions as well as that I have admin consent, but the roles claim is still missing. So from my perspective, the permissions seems right, but I have no roles claim. When this error is shown, what are the permissions needed, is there a link that specifies them? I have followed these bellow steps: 1. Create a print job and store the resulting document ID.1. Create an uploadSession for the document.

Upload bytes to the created upload session.

Start the print job.

Regards Oskar
Please sign in to rate this answer.
Yakun Huang-MSFT 6,570 Reputation points Microsoft Vendor

2024-09-26T08:09:55.31+00:00

Please share the parsing result of your token in jwt.ms, so that I can better analyze the problem.

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-26T14:10:56.1166667+00:00

Hi @Yakun Huang-MSFT ,

Here is the response, please note that iss, oid, app_displayname, tid and unique_name were removed as they are confidential.

Header claims { "typ": "JWT", "nonce": "NGCIeqUNNYWwrVU940WoVwsbGKQomdXFKQLL_NudqOg", "alg": "RS256", "x5t": "Mc7l3Iz93g7uwgNeEmmw_WYGPko", "kid": "Mc7l3Iz93g7uwgNeEmmw_WYGPko" } Payload { "aud": "https://graph.microsoft.com", "iss": "", "iat": 1727185557, "nbf": 1727185557, "exp": 1727191040, "acct": 0, "acr": "1", "acrs": [ "urn:user:registersecurityinfo", "c1", "c2", "c3", "c4", "c5" ], "aio": "ATQAy/8YAAAAjNGDIequT13/JdNSgIIOa/DZ5Lx3a5wp9yE/08HC7wuej68Z/N5YfKj7Q4KSDqZl", "amr": [ "pwd" ], "app_displayname": "", "appid": "", "appidacr": "0", "family_name": "Berntorp", "given_name": "Oskar", "idtyp": "user", "ipaddr": "20.31.127.145", "name": "", "oid": "", "onprem_sid": "S-1-5-21-2459691807-791289827-2332436375-77154", "platf": "3", "puid": "100320023BC71813", "rh": "0.AUgAOgkgeWU6ukqNVHayhISglAMAAAAAAAAAwAAAAAAAAAALAWA.", "scp": "openid PrinterShare.ReadWrite.All profile User.Read email", "signin_state": [ "inknownntwk" ], "sub": "y7mcUXXriTy4g0WEaCSPCpa1TiqD6qx80AkR3AY0NXQ", "tenant_region_scope": "EU", "tid": "", "unique_name": "", "upn": "", "uti": "an-PwKoTyEmH1qcyev4hAA", "ver": "1.0", "wids": [ "b79fbf4d-3ef9-4689-8143-76b194e85509" ], "xms_idrel": "1 12", "xms_st": { "sub": "Wn5PK8OQtEbU5B8xAISuKoxiy7Q-OLmhAtbLnpWUb8Q" }, "xms_tcdt": 1459855303, "xms_tdbr": "EU" }

Yakun Huang-MSFT 6,570 Reputation points Microsoft Vendor

2024-09-27T08:50:03.5066667+00:00

Checking your token shows that your token is obtained using Auth code flow, and if you need to have roles claim in the token, you need to use the client credential flow, refer to this documentation.

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-27T09:56:57.0633333+00:00

Hi @Yakun Huang-MSFT ,

New payload, this one is generated by the client credentials flow:

The roles claim is still missing and has been so before, despite using the client credential flow.

Is there a single claim telling what flow was used?
{-

   "aud": "https://graph.microsoft.com",

   "iss": "",

   "iat": 1727430182,

   "nbf": 1727430182,

   "exp": 1727434082,

   "aio": "k2BgYPiqqMGhpajPe3jRtnvhoRFiAA==",

   "app_displayname": "",

   "appid": "",

   "appidacr": "1",

   "idp": "https://sts.windows.net/7920093a-3a65-4aba-8d54-76b28484a094/",

   "idtyp": "app",

   "oid": "",

   "rh": "0.AUgAOgkgeWU6ukqNVHayhISglAMAAAAAAAAAwAAAAAAAAAALAQA.",

   "sub": "a54dc6d5-c4ba-488b-992a-14ab904d979d",

   "tenant_region_scope": "EU",

   "tid": "",

   "uti": "PmPaAgGk7UmzdBzIqjGDAA",

   "ver": "1.0",

   "wids": [-      "0997a1d0-0d1d-4acb-b408-d5ca73121e90"   ],

   "xms_idrel": "18 7",

   "xms_tcdt": 1459855303,

   "xms_tdbr": "EU"

}

Yakun Huang-MSFT 6,570 Reputation points Microsoft Vendor

2024-09-30T02:22:27.46+00:00

After testing, I have replicated your situation, and when an App registered in Azure does not have any application permissions added, the token will be retrieved just like yours, without the roles attribute, as shown below:

Add application permissions to your App in Azure, as shown below:

After reacquiring the token, you have the roles attribute:

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-09-30T07:07:08.4833333+00:00

Hi @Yakun Huang-MSFT ,

The bellow permissions are set, so there must be another reason:

Microsoft Graph

PrinterShare.ReadWrite.All

User.Read

UniversalPrint

PrinterProperties.ReadWrite

Printers.Create

Printers.Read

PrintJob.Read

PrintJob.ReadWriteBasic

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-10-02T14:51:42.61+00:00

Hi @Yakun Huang-MSFT ,

I added some more permissions and one of them where listed in the roles claim. Now thougth, we have changed to the DeviceCodeCredentialFlow, but we still have the same error as before. The user that I have tested to log in has the Universal Print License.

I have also verified in the print section that we now are using the currect permissions in Azure, what permissions or else could there be to check?

I have been able to verify it via: https://learn.microsoft.com/en-us/graph/api/printdocument-createuploadsession?view=graph-rest-1.0&tabs=http

Bellow is a list of the permissions needed, including "Least privileged permissions" and"Higher privileged permissions".

For the upload session these are needed:

PrintJob.Create

To Create a print job these are needed:

PrintJob.Create
PrintJob.ReadWrite

PrintJob.ReadWrite.All

PrintJob.ReadWriteBasic

PrintJob.ReadWriteBasic.All

User.Read is then also set

Despite these permissions i get the error when using DeviceCodeCredential: "The token does not have one or more required security scopes."

Bellow is a sample response:

Header claims { "typ": "JWT", "nonce": "hzASELsr2j8ih_b8btTg36z0W64MKoj48F5yuJmDH4E", "alg": "RS256", "x5t": "Mc7l3Iz93g7uwgNeEmmw_WYGPko", "kid": "Mc7l3Iz93g7uwgNeEmmw_WYGPko" } Payload { "aud": "https://graph.microsoft.com", "iss": "", "iat": 1727791088, "nbf": 1727791088, "exp": 1727795763, "acct": 0, "acr": "1", "acrs": [ "urn:user:registersecurityinfo", "c1", "c2", "c3", "c4", "c5" ], "aio": "ATQAy/8YAAAA7Ili1qSPuI3BH/RX6NOEazc+rijK4zYST6jErWWD3ZKYyxFBU8YNlq4u6uBkkNBq", "amr": [ "pwd" ], "app_displayname": "", "appid": "60b2e375-e060-4161-bc19-0e6829004838", "appidacr": "0", "family_name": "Berntorp", "given_name": "Oskar", "idtyp": "user", "ipaddr": "20.31.127.145", "name": "Berntorp Oskar", "oid": "", "platf": "3", "puid": "1003200238042542", "rh": "0.AUgAOgkgeWU6ukqNVHayhISglAMAAAAAAAAAwAAAAAAAAAALAVI.", "scp": "PrinterShare.ReadWrite.All PrintJob.Create PrintJob.ReadWrite PrintJob.ReadWrite.All PrintJob.ReadWriteBasic PrintJob.ReadWriteBasic.All User.Read profile openid email", "signin_state": [ "inknownntwk" ], "sub": "2comqiedgCLFTe-yAl9bFUnpebXij6FVgLDHNJb-rv4", "tenant_region_scope": "EU", "tid": "", "unique_name": "", "upn": "", "uti": "r-FA7MR0s0u1HPKIgP8lAA", "ver": "1.0", "wids": [ "b79fbf4d-3ef9-4689-8143-76b194e85509" ], "xms_idrel": "1 14", "xms_st": { "sub": "1Eq-_fDZGoSGuSeNYNKddDEY4vCOhxDh4LYHKsH6U-M" }, "xms_tcdt": 1459855303, "xms_tdbr": "EU" }

Kindly

Oskar Berntorp

Oskar Berntorp (Novotek Sweden) 10 Reputation points

2024-10-02T15:07:05.7766667+00:00

Hi @Yakun Huang-MSFT ,

I have verified that the set permissions are currect via: https://learn.microsoft.com/en-us/graph/api/printdocument-createuploadsession?view=graph-rest-1.0&tabs=http

I still get the error "The token does not have one or more required security scopes."

Despite having all these permissions set according to the documentation:

Create Upload Session:

- PrintJob.Create - PrintJob.ReadWrite - PrintJob.ReadWrite.All

Create PrintJob:

- PrintJob.Create - PrintJob.ReadWrite - PrintJob.ReadWrite.All - PrintJob.ReadWriteBasic - PrintJob.ReadWriteBasic.All

To Start a PrintJob:

- PrintJob.Create - PrintJob.ReadWrite - PrintJob.ReadWrite.All - PrintJob.ReadWriteBasic - PrintJob.ReadWriteBasic.All

Bellow is the decoded token response:

Header claims { "typ": "JWT", "nonce": "hzASELsr2j8ih_b8btTg36z0W64MKoj48F5yuJmDH4E", "alg": "RS256", "x5t": "Mc7l3Iz93g7uwgNeEmmw_WYGPko", "kid": "Mc7l3Iz93g7uwgNeEmmw_WYGPko" } Payload { "aud": "https://graph.microsoft.com", "iss": "", "iat": 1727791088, "nbf": 1727791088, "exp": 1727795763, "acct": 0, "acr": "1", "acrs": [ "urn:user:registersecurityinfo", "c1", "c2", "c3", "c4", "c5" ], "aio": "ATQAy/8YAAAA7Ili1qSPuI3BH/RX6NOEazc+rijK4zYST6jErWWD3ZKYyxFBU8YNlq4u6uBkkNBq", "amr": [ "pwd" ], "app_displayname": "", "appid": "60b2e375-e060-4161-bc19-0e6829004838", "appidacr": "0", "family_name": "Berntorp", "given_name": "Oskar", "idtyp": "user", "ipaddr": "20.31.127.145", "name": "Berntorp Oskar", "oid": "", "platf": "3", "puid": "1003200238042542", "rh": "0.AUgAOgkgeWU6ukqNVHayhISglAMAAAAAAAAAwAAAAAAAAAALAVI.", "scp": "PrinterShare.ReadWrite.All PrintJob.Create PrintJob.ReadWrite PrintJob.ReadWrite.All PrintJob.ReadWriteBasic PrintJob.ReadWriteBasic.All User.Read profile openid email", "signin_state": [ "inknownntwk" ], "sub": "2comqiedgCLFTe-yAl9bFUnpebXij6FVgLDHNJb-rv4", "tenant_region_scope": "EU", "tid": "", "unique_name": "", "upn": "", "uti": "r-FA7MR0s0u1HPKIgP8lAA", "ver": "1.0", "wids": [ "b79fbf4d-3ef9-4689-8143-76b194e85509" ], "xms_idrel": "1 14", "xms_st": { "sub": "1Eq-_fDZGoSGuSeNYNKddDEY4vCOhxDh4LYHKsH6U-M" }, "xms_tcdt": 1459855303, "xms_tdbr": "EU" }

Kind Regards

Oskar Berntorp
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Microsoft Universal Print: The token does not have one or more required security scopes. Client Credentials Flow

2 answers

Your answer