MicrosoftDocs
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md‎
Lines changed: 67 additions & 0 deletions b/‎support/entra/entra-id/users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-application-context.png‎
83.3 KB b/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-application-context.png‎
83.3 KB
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png‎
134 KB b/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png‎
134 KB
@@ -0,0 +1,67 @@
+---
+title: NoPermissionsInAccessToken when calling me endpoint in Microsoft Graph
+description: Describes an issue in which you receive `NoPermissionsInAccessToken` error when you call `/me` endpoint in Microsoft Graph.
+ms.date: 04/03/2025
+ms.service: entra-id
+ms.author: bhvootla
+ms.custom: sap:Getting access denied errors (Authorization)
+ms.reviewer: nualex,vganga,adoyle,custorod
+---
+# NoPermissionsInAccessToken when calling /me endpoint
+
+This article discusses an issue in which you receive a `NoPermissionsInAccessToken` error message when you call the `/me` endpoint in Microsoft Graph. This article also explains why you can't call the `/me` endpoint by using a token that is acquired through the client credentials grant flow.
+
+## Symptoms
+
+When you try to call the `/me` endpoint from your Microsoft Entra ID-based application that uses [client credentials grant flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow), you receive the following error message:
+
+```output
+{
+"error": {
+"code": "NoPermissionsInAccessToken",
+"message": "The token contains no permissions, or permissions can not be understood.",
+"innerError": {
+"oAuthEventOperationId": "48f66de9-xxx-xxxx1-xxxx-399ea6608ec0",
+"oAuthEventcV": "MkVd0xxxxxvjGFVJkoA.1",
+"errorUrl": "https://aka.ms/autherrors#error-InvalidGrant",
+"requestId": "80f8a0e9-xxxx-xxxx-xxxx-88e5d4bb5bb2",
+"date": "2021-07-30T04:04:38"
+}
+}
+}
+```
+
+## Cause
+
+The `/me` endpoint is designed to enable signed-in users to retrieve their own information. To call the `/me` endpoint, you must provide some user context because the endpoint uses delegated permissions. That is, a token that's generated by using the client credentials grant flow can't use the `/me` endpoint because the user context information is absent.
+
+Tokens that are obtained by using the client credentials grant flow represent application identities, not user identities. These tokens contain a **roles** claim for application permissions instead of a scp (scopes) claim for delegated permissions. The absence of user context makes it impossible for the `/me` endpoint to determine the user who is associated with the request.
+
+### Example tokens
+
+**Token with user context (delegated flow with a user signed in)**
+
+This token is granted by using delegated flow to which a user signed in. It contains user-specific information and a `scp` claim that contains the current user's permissions.
+
+:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png" alt-text="Screenshot that shows a delegated token example." lightbox="media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png":::
+
+**Token with application identity (client_credentials grant flow)**
+
+This token is generated by using the client credentials grant flow. It doesn't contain user-specific information. Instead, it contains a `roles` claim for application permissions.
+
+:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-application-context.png" alt-text="Screenshot that shows an application token example." lightbox="media/error-call-me-endpoint-microsoft-graph/token-application-context.png":::
+
+## Solution
+
+When you use the client credentials grant flow in your application, you must use the `/users` endpoint instead of the `/me` endpoint. The `/users` endpoint enables you to retrieve user-specific information by using application tokens.
+
+For example, if you want to call `GET https://graph.microsoft.com/v1.0/me/memberOf` to generate a list of groups that a user is a member of, use the following method:
+
+1. Obtain an application token by using the client credentials grant flow.
+2. Make sure that the application has the **User.Read.All** permission to query user information.
+3. Use the **users** endpoint to query specific user details. Replace {upn} with the User Principal Name (UPN) or User Object ID of the user.
+    ```HTTP
+    GET https://graph.microsoft.com/v1.0/users/{upn or userID}/memberOf
+    ```
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]