MicrosoftDocs
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md‎
Lines changed: 67 additions & 0 deletions b/‎support/entra/entra-id/users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-application-context.png‎
83.3 KB b/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-application-context.png‎
83.3 KB
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png‎
134 KB b/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png‎
134 KB
diff --git a/‎support/power-platform/power-apps/connections/best-practices-when-updating-a-flow.md‎
Lines changed: 10 additions & 8 deletions b/‎support/power-platform/power-apps/connections/best-practices-when-updating-a-flow.md‎
Lines changed: 10 additions & 8 deletions
@@ -0,0 +1,67 @@
+---
+title: NoPermissionsInAccessToken when calling me endpoint in Microsoft Graph
+description: Describes an issue in which you receive `NoPermissionsInAccessToken` error when you call `/me` endpoint in Microsoft Graph.
+ms.date: 04/03/2025
+ms.service: entra-id
+ms.author: bhvootla
+ms.custom: sap:Getting access denied errors (Authorization)
+ms.reviewer: nualex,vganga,adoyle,custorod
+---
+# NoPermissionsInAccessToken when calling /me endpoint
+
+This article discusses an issue in which you receive a `NoPermissionsInAccessToken` error message when you call the `/me` endpoint in Microsoft Graph. This article also explains why you can't call the `/me` endpoint by using a token that is acquired through the client credentials grant flow.
+
+## Symptoms
+
+When you try to call the `/me` endpoint from your Microsoft Entra ID-based application that uses [client credentials grant flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow), you receive the following error message:
+
+```output
+{
+"error": {
+"code": "NoPermissionsInAccessToken",
+"message": "The token contains no permissions, or permissions can not be understood.",
+"innerError": {
+"oAuthEventOperationId": "48f66de9-xxx-xxxx1-xxxx-399ea6608ec0",
+"oAuthEventcV": "MkVd0xxxxxvjGFVJkoA.1",
+"errorUrl": "https://aka.ms/autherrors#error-InvalidGrant",
+"requestId": "80f8a0e9-xxxx-xxxx-xxxx-88e5d4bb5bb2",
+"date": "2021-07-30T04:04:38"
+}
+}
+}
+```
+
+## Cause
+
+The `/me` endpoint is designed to enable signed-in users to retrieve their own information. To call the `/me` endpoint, you must provide some user context because the endpoint uses delegated permissions. That is, a token that's generated by using the client credentials grant flow can't use the `/me` endpoint because the user context information is absent.
+
+Tokens that are obtained by using the client credentials grant flow represent application identities, not user identities. These tokens contain a **roles** claim for application permissions instead of a scp (scopes) claim for delegated permissions. The absence of user context makes it impossible for the `/me` endpoint to determine the user who is associated with the request.
+
+### Example tokens
+
+**Token with user context (delegated flow with a user signed in)**
+
+This token is granted by using delegated flow to which a user signed in. It contains user-specific information and a `scp` claim that contains the current user's permissions.
+
+:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png" alt-text="Screenshot that shows a delegated token example." lightbox="media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png":::
+
+**Token with application identity (client_credentials grant flow)**
+
+This token is generated by using the client credentials grant flow. It doesn't contain user-specific information. Instead, it contains a `roles` claim for application permissions.
+
+:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-application-context.png" alt-text="Screenshot that shows an application token example." lightbox="media/error-call-me-endpoint-microsoft-graph/token-application-context.png":::
+
+## Solution
+
+When you use the client credentials grant flow in your application, you must use the `/users` endpoint instead of the `/me` endpoint. The `/users` endpoint enables you to retrieve user-specific information by using application tokens.
+
+For example, if you want to call `GET https://graph.microsoft.com/v1.0/me/memberOf` to generate a list of groups that a user is a member of, use the following method:
+
+1. Obtain an application token by using the client credentials grant flow.
+2. Make sure that the application has the **User.Read.All** permission to query user information.
+3. Use the **users** endpoint to query specific user details. Replace {upn} with the User Principal Name (UPN) or User Object ID of the user.
+    ```HTTP
+    GET https://graph.microsoft.com/v1.0/users/{upn or userID}/memberOf
+    ```
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
@@ -2,7 +2,7 @@
 title: Error codes on Flow run
 description: Describes best practices and steps to mitigate common errors when running Microsoft flows in Power Apps.
 ms.reviewer: mlalavat
-ms.date: 03/01/2024
+ms.date: 04/18/2025
 ms.custom: sap:Connections\Creating or updating connections
 ---
 # Best practices when updating a flow used by a Power App
@@ -173,7 +173,7 @@ The reason is that there might be a change to the flow in the target environment
    > [!NOTE]
    > There can be no unmanaged layers on either the flow or the app because this can cause issues in connection to the flow.
 
-## Error code "NotAllowedConnectionReferenceon" on Flow run
+## Error code "NotAllowedConnectionReference" on Flow run
 
 ```output
     {
@@ -197,6 +197,8 @@ This error means that the app has flow metadata that specifies that a SQL connec
 
 #### Mitigation option 1
 
+Reset the flows in the app:
+
 1. In the source environment, edit the app. Remove and then re-add the flows to the app. Save and publish the changes.
 2. In the target environment, remove all unmanaged layers on the app and flow.
 3. Export the solution and import it into the target environment.
@@ -206,12 +208,12 @@ This error means that the app has flow metadata that specifies that a SQL connec
 
 #### Mitigation option 2
 
-1. Change the connection from **Embedded** to **Invoker**.
-2. Navigate to the flow portal to edit and update the flow settings.
-3. On the flow details page, in the **Run only users** section, select **Edit**.
-4. To update the flow connection source to **Invoker**, select **Provided by run-only user** and save.
-5. To update the flow connection source to **Embedded**, select **Use this connection** and save.
-6. Verify by triggering the flow. You see that the "install flow network" calls now are succeeding.
+Change the connection from **Embedded** to **Invoker**:
+
+1. Navigate to the flow portal to edit and update the flow settings.
+2. On the flow details page, in the **Run only users** section, select **Edit**.
+3. To update the flow connection source to **Invoker**, select **Provided by run-only user** and save.
+4. Verify by triggering the flow. You see that the "install flow network" calls are now successful.
 
 ## Other symptoms