AADSTS1002012 for Office 365 China

[guhuajun]

Greetings,

I have AADSTS1002012 error when working with Office 365 China. After digging the documentation, it's very difficult to find the right replacement for 'https://graph.microsoft.com/.default'.

{'error': 'invalid_scope', 'error_description': 'AADSTS1002012: The provided value for scope Sites.ReadWrite.All is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: af93426e-24a5-4e0d-a16e-d7a18f724c01\r\nCorrelation ID: 111dc140-a029-402e-b5f6-330807fe0f5d\r\nTimestamp: 2022-03-29 03:14:59Z', 'error_codes': [1002012], 'timestamp': '2022-03-29 03:14:59Z', 'trace_id': 'af93426e-24a5-4e0d-a16e-d7a18f724c01', 'correlation_id': '111dc140-a029-402e-b5f6-330807fe0f5d'}

But luckily, I managed to download the right code sample from Azure Portal, please help to update the documentation for guiding people to the right place. The right scope for China is https://microsoftgraph.chinacloudapi.cn/.default. https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=dotnet#acquiretokenforclient-api

(I marked my app name via Web Developer Tools, no more guessing)

Please feel free to close this issue.

Bonus: Based on the update date, it looks like this is the new endpoints list. https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide

Have a nice day. Greg

[guhuajun]

Close for finding the solutions by myself.

[rayluo]

Hi Greg,

The right scope for China is https://microsoftgraph.chinacloudapi.cn/.default

MSAL is a token acquisition library. MSAL itself does not have a say on what scope should be used. Scopes are defined by the services that you are going to access.

That being said, if you can provide the doc that you got that correct endpoint from, we are willing to convert this into a Q&A to help others.