Microsoft AD spoke issue: Error while run "Add User to Group" Action against AD - Support and Troubleshooting

Microsoft AD spoke issue: Error while run "Add User to Group" Action against AD Issue Even after following all the steps in the below documentation and adding permissions on AD (active directory) side, you will see error code "Authorization_AccessDenied" error while trying to perform any action with respect to graph API (Application Programming Interface).

https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/administer/integrationhub-store-spokes/task/set-up-azure.html

Add permissions to access the APIs. Ensure that you provide these permissions:

Permission Type Directory.AccessAsUser.All Delegated Directory.Read.All Delegated Directory.ReadWrite.All Delegated User.Read Delegated offline_access Delegated Directory.Read.All Application Directory.ReadWrite.All Application

Cause This is because the generated oauth token has no permissions to perform the action against AD.

Resolution Add the below scope to in oauth entity scopes and issue will be fixed. This value informs the Microsoft identity platform endpoint that of all the application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use.

https://graph.microsoft.com/.default

Also as mentioned in the documentation you should have below two scopes in addition to above:

offline_access

openid