Share via

Error AADSTS650053: The application 'XXXX' asked for scope 'Exchange.Manage' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.

Guillaume Dumont 25 Reputation points
2024-03-29T14:30:31.13+00:00

Hi! When I ask for the delegated permission Exchange.Manage on the url https://login.microsoftonline.com/common/oauth2/v2.0/authorize, I receive the error in this question title. The error says that the permission is asked on the Graph ressourceId, but as seen bellow, the ressourceId asked is outlook.office.com (00000002-0000-0ff1-ce00-000000000000). My application has the permission registered (see image bellow). I tryed with scope 00000002-0000-0ff1-ce00-000000000000/Exchange.Manage, ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, https://outlook.office.com/ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c, etc. all with the same error.

I'm using the auth code flow on an app with certificate and no client secrets.

Note that it works when I'm granting those permissions ("https://outlook.office.com/Calendars.Read", "https://outlook.office.com/Contacts.Read", "https://outlook.office.com/Mail.Read", "https://outlook.office.com/MailboxSettings.Read") using the same code.

User's image

User's image

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,772 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,230 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,771 questions
0 comments
Accepted answer
  1. Navya 4,395 Reputation points Microsoft Vendor
    2024-04-01T12:55:29.45+00:00

    Hi @Guillaume Dumont

    Thank you for posting this in Microsoft Q&A.

    A token can be acquired for multiple scopes if all those scopes belong to same resource. For example, in a single request you can acquire token for openid and offline_access scopes because they are part of Graph API resource. Exchange.Manage scope belongs to Microsoft 365 Mail API resource. To acquire token for your API, you will need to make a separate request as it is a completely different resource.

    In my environment, I successfully obtain the authorization code by making a below HTTP request.Please attempt the HTTP request mentioned below and inform me of any difficulties you encounter by providing a response through comments.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=93f3-e20de961633b
&response_type=code
&redirect_uri=
https://login.microsoftonline.com/common/oauth2/nativeclient
&response_mode=query
&scope=Exchange.Manage (or) https://outlook.office.com/Exchange.Manage

    Authorization code:User's image

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yakun Huang 80 Reputation points
    2024-04-01T08:05:39.0766667+00:00

    Hi @Guillaume Dumont,

    Since the permission that need to be granted Exchange.Manage are not permission for Microsoft Graph, it cannot be granted through a browser when granting that permission, only in the portal.

    Like this:1

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.