One of my customer is using my app that requires Mail.ReadWrite, Directory.Read.All, User.Read.All
def url_for_service(user)
[
'https://login.microsoftonline.com/common/oauth2/v2.0/authorize?',
"client_id=#{ENV['APPLICATION_CLIENT_ID']}",
"&state=#{user.token}",
'&response_type=code',
'&response_mode=query',
"&redirect_uri=#{ENV['APPLICATION_REDIRECT_URI']}",
"&scope=#{ENV['AZURE_APPLICATION_SCOPE']}",
"&prompt=select_account"
].join
end
def url_for_admin(state)
[
'https://login.microsoftonline.com/',
'organizations',
'/v2.0/adminconsent?',
"client_id=#{ENV['AZURE_APPLICATION_CLIENT_ID']}",
"&state=#{state}",
"&redirect_uri=#{ENV['AZURE_ADMIN_APPLICATION_REDIRECT_URI']}",
"&scope=#{ENV['AZURE_APPLICATION_SCOPE']}"
].join
end
its working fine for all customers but for one customer i was getting following error when fetching users list
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'date': '2024-03-05T14:23:22', 'request-id': '27ae1e9d-8ded-454e-93d6-01b70063d8ce', 'client-request-id': '27ae1e9d-8ded-454e-93d6-01b70063d8ce'}}}
when debugging it i realized the roles were missing in their JWT Token, even though the user which authenticated the external app is a global administrator.
What could be reason of roles not appearing inside JWT token ?