Azure OAuth Login - Was working, now getting AADSTS700022 / AADSTS700023 Errors

AADSTS700023: The provided value for the input parameter scope cannot be empty when requesting an access token using the provided authorization code. Please specify a valid scope.

When acquiring token to access resource in Azure AD V2.0 , you need to specific scope parameter which indicates which resource and permissions the app is requesting authorization for . Please refer to how OAuth 2.0 Authorization Code Flow works in Azure AD v2.0 .

AADSTS700022: The provided value for the input parameter scope is not valid because it contains more than one resource. The scope https://outlook.office.com/mail.send mail.readwrite calendars.readwrite tasks.readwrite contacts.readwrite openid profile offline_access is not valid.

An access token issued from Azure AD only available for one resource , you can't use same token to access multi resources . That means you should specific one resource's scopes in your token request . Looking into your scopes :

• https://outlook.office.com/mail.send is the scope of Office 365 Unified Mail API
• mail.readwrite calendars.readwrite tasks.readwrite contacts.readwrite are the scopes of Microsoft Graph API .

You can't acquire an access token to access two resources .You can request Mail.Send scope to send mail using Microsoft Graph API instead of using scope of O365 mail rest api .

The answer to this is as Nan Yu alluded to, for some reason the call had been working for the past couple of months, but you now can't get a token to cover multiple resources (i.e. Graph and Outlook APIs). The solution is to request authentication for a combined scope of both APIs and once you've got that, request separate tokens for the Graph and Outlook APIs.

We've done that and are storing the tokens separately and then when an API Call is made, detecting which API is being used and passing the appropriate token with the API Call.