Low severityauthentication
Power BI Error:
AADSTS700022, multiple resources in scope parameter
What does this error mean?
The OAuth 2.0 scope parameter contains scopes from more than one resource (audience), which v1.0 endpoints don't allow.
Common causes
- 1Scope parameter mixes scopes from two APIs, e.g. `https://analysis.windows.net/powerbi/api/.default` together with `https://graph.microsoft.com/.default`
- 2Custom app combining Power BI REST and Microsoft Graph permissions in one acquireToken call instead of one per resource
- 3Migration from v1.0 to v2.0 endpoint where developers concatenated `resource` values into `scope` instead of issuing separate requests
- 4MSAL/ADAL client requesting `.default` for multiple resources in a single `AcquireTokenSilent`/`AcquireTokenForClient` call
- 5Copy-pasted scope string from documentation that accidentally combined Fabric, Power BI and Graph scopes
How to fix it
- 1Inspect the failing auth request and list every scope sent — confirm they all share the same resource host (e.g. all `https://analysis.windows.net/powerbi/api/*` OR all `https://graph.microsoft.com/*`, never mixed)
- 2Refactor the code to call `AcquireTokenForClient` / `acquireTokenSilent` once per resource: one call for Power BI scopes, a separate call for Graph scopes, each returning its own access token
- 3If using ADAL (v1.0), migrate to MSAL and replace the single `resource` parameter with per-resource `.default` scope requests
- 4For service principals against Power BI/Fabric, use only `https://analysis.windows.net/powerbi/api/.default` — admin-consented API permissions on the app registration handle the actual granted rights, not the scope string
- 5Verify in Entra ID portal → App registrations → API permissions that the required permissions exist and are admin-consented, so each resource-specific token request actually succeeds after the split