Someone in our Discord server reached out to us because he encountered issues when trying to list Power Automate flows. The person was using his own app registration but encountered permission issues.
When you run cli doctor, all scopes are listed, but I noticed that this was not really helping here.
All scopes of every token are listed here and they are all mixed together. It's not clear which scope belongs to which resource. Scopes can be listed more than once. For example, quite a few APIs implement the scope user_impersonation, or the scope AllSites.FullControl is both a Graph scope and a SharePoint scope. Currently, we have no clue for which resources this scope was granted.
I suggest that we change the output a bit. Let's list all resources with their approved scopes. In this case, it will be easier to validate which scopes were consented by the user.
Example how it looks like now:
{
"scopes": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"AllSites.FullControl",
"ActivityFeed.Read",
"ServiceHealth.Read",
"user_impersonation"
]
}Example how it could look like:
{
"scopes": {
"https://graph.microsoft.com": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All"
],
"https://contoso.sharepoint.com": [
"AllSites.FullControl"
],
"https://manage.office.com": [
"ActivityFeed.Read",
"ServiceHealth.Read"
],
"https://management.azure.com": [
"user_impersonation"
]
}
}
Someone in our Discord server reached out to us because he encountered issues when trying to list Power Automate flows. The person was using his own app registration but encountered permission issues.
When you run
cli doctor, all scopes are listed, but I noticed that this was not really helping here.All scopes of every token are listed here and they are all mixed together. It's not clear which scope belongs to which resource. Scopes can be listed more than once. For example, quite a few APIs implement the scope
user_impersonation, or the scopeAllSites.FullControlis both a Graph scope and a SharePoint scope. Currently, we have no clue for which resources this scope was granted.I suggest that we change the output a bit. Let's list all resources with their approved scopes. In this case, it will be easier to validate which scopes were consented by the user.
Example how it looks like now:
{ "scopes": [ "AllSites.FullControl", "AppCatalog.ReadWrite.All", "AuditLog.Read.All", "AllSites.FullControl", "ActivityFeed.Read", "ServiceHealth.Read", "user_impersonation" ] }Example how it could look like:
{ "scopes": { "https://graph.microsoft.com": [ "AllSites.FullControl", "AppCatalog.ReadWrite.All", "AuditLog.Read.All" ], "https://contoso.sharepoint.com": [ "AllSites.FullControl" ], "https://manage.office.com": [ "ActivityFeed.Read", "ServiceHealth.Read" ], "https://management.azure.com": [ "user_impersonation" ] } }