You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# NoPermissionsInAccessToken when calling /me endpoint
10
10
11
-
This article discusses an issue in which the you receive a `NoPermissionsInAccessToken` error message when you call the `/me` endpoint in Microsoft Graph. This article also explains why you can't call the `/me` endpoint by using a token that's acquired through the client credentials grant flow.
11
+
This article discusses an issue in which you receive a `NoPermissionsInAccessToken` error message when you call the `/me` endpoint in Microsoft Graph. This article also explains why you can't call the `/me` endpoint by using a token that is acquired through the client credentials grant flow.
12
12
13
13
## Symptoms
14
14
@@ -32,9 +32,9 @@ When you try to call the `/me` endpoint from your Microsoft Entra ID-based appli
32
32
33
33
## Cause
34
34
35
-
The `/me` endpoint is designed to enable signed-in users to retrieve their own information. To call the `/me` endpoint, you must provide some user context because the endpont uses delegated permissions. This means that a token that's generated by using the client credentials grant flow can't use the `/me` endpoint because the user context information is absent.
35
+
The `/me` endpoint is designed to enable signed-in users to retrieve their own information. To call the `/me` endpoint, you must provide some user context because the endpint uses delegated permissions. That is, a token that's generated by using the client credentials grant flow can't use the `/me` endpoint because the user context information is absent.
36
36
37
-
Tokens that are obtained by using the client credentials grant flow represent application identities, not user identities. These tokens contain a **roles** claim for application permissions instead of a scp (scopes) claim for delegated permissions. The absence of user context makes it impossible for the `/me` endpoint to determine the user who's associated with the request.
37
+
Tokens that are obtained by using the client credentials grant flow represent application identities, not user identities. These tokens contain a **roles** claim for application permissions instead of a scp (scopes) claim for delegated permissions. The absence of user context makes it impossible for the `/me` endpoint to determine the user who is associated with the request.
38
38
39
39
### Example tokens
40
40
@@ -46,13 +46,13 @@ This token is granted by using delegated flow to which a user signed in. It cont
46
46
47
47
**Token with application identity (client_credentials grant flow)**
48
48
49
-
This token is generated by using the client credentials grant flow. It doesn't contain user-specific information. Insead, it contains a `roles` claim for application permissions.
49
+
This token is generated by using the client credentials grant flow. It doesn't contain user-specific information. Instead, it contains a `roles` claim for application permissions.
50
50
51
51
:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-application-context.png" alt-text="Screenshot that shows an application token example." lightbox="media/error-call-me-endpoint-microsoft-graph/token-application-context.png":::
52
52
53
53
## Solution
54
54
55
-
When you use the client credentials grant flow in your application, you must use the `/users` endpoint instead of the `/me` endpoint. This enables you to retrieve user-specific information by using application tokens.
55
+
When you use the client credentials grant flow in your application, you must use the `/users` endpoint instead of the `/me` endpoint. The `/users` endpoint enables you to retrieve user-specific information by using application tokens.
56
56
57
57
For example, if you want to call `GET https://graph.microsoft.com/v1.0/me/memberOf` to generate a list of groups that a user is a member of, use the following method:
0 commit comments