Skip to main content

Restore Failure for Entra ID Conditional Access Policies with error: "You cannot perform the requested operation, required scopes are missing in the token."

Overview

During Entra ID (formerly Azure AD) restore operations—specifically for Conditional Access Policies (CAP)—restore jobs may fail even if the account appears to have the correct permissions in the Microsoft Entra portal. This issue is frequently identified during Disaster Recovery (DR) testing or after security updates to the tenant.

Symptom

The restore job for a Conditional Access Policy fails repeatedly with the error “You cannot perform the requested operation, required scopes are missing in the token.” The Druva job logs will display the following authorization error:

Error Sample:

{'code': 'AccessDenied', 'message': 'You cannot perform the requested operation, required scopes are missing in the token.'}

The Cause

Even if the Druva App status is "Connected," the active OAuth token held by Druva may lack the specific API "scopes" required to write or recreate Conditional Access Policies. This typically occurs when:

  • Permissions were modified or added in the Entra portal, but not "refreshed" within Druva.

  • Microsoft has updated the required API endpoints for Conditional Access, requiring a new token exchange to acknowledge the updated scopes.

Resolution

To resolve this, you must force a fresh token exchange by re-authenticating the Druva Entra ID application.

Step 1: Re-authenticate the Druva App

  1. Log in to the Druva Admin Console.

  2. Navigate to Microsoft 365 > Entra ID.

  3. Locate the affected tenant and select the option to Re-install the Druva Entra ID application.

  4. When prompted by Microsoft, sign in using a Global Administrator account.

  5. Review the requested permissions and click Accept to grant the necessary scopes.

Step 2: Verify Necessary Scopes

During the re-authentication, ensure the following Microsoft Graph API permissions are granted:

  • Policy.ReadWrite.ConditionalAccess

  • Policy.Read.All

  • Directory.ReadWrite.All

Step 3: Retry the Restore

  1. Return to the Druva Entra ID Restore interface.

  2. Select the deleted Conditional Access Policy.

  3. Initiate the restore job again.

  4. Confirm the job completes successfully without the AccessDenied error.

Escalation Path

If the restore failure persists after successful re-authentication, please contact Druva Support for further analysis.

Related Articles
Permissions required for Microsoft Entra ID
Restore your Microsoft Entra ID data
Microsoft Entra ID backup and restore FAQs
Quick Start Guide - Entra ID
Entra ID backups failing due to app status “Disconnected”
Did this answer your question?