![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 52%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,284 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi Manoj S,
Based on your query, here is my understanding: You have configured an application registration and while accessing the application, you received the following.
The errors displayed for app registration when the requested scope is either /default or does not provide right scope to retrieve access token. As per this document, you have registered an application in Entra where you need to slight changes in order to avoid the error. (The application you registered will be mentioned in this solution as Main application in this solution. Wherever you see my mention as Main application that means we are talking about the application you configured using the above document.)
Please follow this document and configure a Web API and make it as an Organization API with the required permissions to your application: Configure an application to expose a web API.
Now you need to go through the following document, to add it as an API for your Main application:
Add permissions to access your web API.
Steps to perform using the following document in your Main Application:
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- If you have access to multiple tenants, use the Settings icon
in the top menu to switch to the tenant containing the app registration from the Directories + subscriptions menu. - Browse to Identity > Applications > App registrations, and then select your Main application (not your web API).
- Select API permissions, then Add a permission and select My APIs in the sidebar.
- Select the web API you registered as part of the prerequisites, and select Delegated permissions
- Under Select permissions, expand the resource whose scopes you defined for your web API, and select the permissions the client app should have on behalf of the signed-in user.
- Select Add permissions and Grant admin consent to complete the process.
Once the process is done you can now try authentication of the application and check the scenario.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"