I'm having a bit of a difficult time trying to figure out what I'm doing wrong. I've registered an application with Azure portal and I keep getting a 403 error after the Oauth2 is completed and when I request the user data when hitting https://graph.microsoft.com/v1.0/me
Full error:
Client error: `GET https://graph.microsoft.com/v1.0/me` resulted in a `403 Forbidden` response:
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-11-29T21:40:18","request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451","client-request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451"}}}
I'm using the PHP SDK to do this, and I had it working with another app but with this new app I can't seem to do it.
This is the API Permissions I have available for the Application:
There are so many permissions, i'm not sure why I'm getting 403? I don't see what scope I'm missing? On the PHP SDK side, I've included all the scopes as in the image.
I tried to reproduce the same in my environment.
Here I used client credential flow to get the token
I tried to query the graph /me end point , it requires delegated authentication .
Calling the https://graph.microsoft.com/me endpoint needs a signed-in user and so a delegated permission.
So even if the delegated permission is given , if client credentials flow is used as grant_typy , there will be 403 forbidden error.
I tried the same with authorization code flow and could sign in user and get details successfully.
Another criteria ,I tried the same for users endpoint
https://graph.microsoft.com/v1.0/users
Required permissions:
Here the admin consent is not granted for the User.Read.All application permission
Make sure the application permissions required for your query are granted admin consent directly through portal or during authentication of user account with which the query is made.
Then the request can be queried successfully.
Reference: Get a user - Microsoft Graph v1.0 | Microsoft Learn
Related
Registered the App in Azure AD and followed client credentials grant.
Implemented the below to fetch the access token
https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console
Implemented the below to validate the access token
https://github.com/playerony/validate-azure-ad-token
While running the validate azure ad token, experiencing this error "Error: The token's payload does not contain "scp" property". Need help in resolving the same.
Establishing API1(client end) accessing another API2(server end) on different platform. Registered API2 on Azure AD and defined client secrets. As provided the implementation links for fetching the access token and validating the access token, i am seeing "Error: The token's payload does not contain "scp" property".
The error , the token's payload does not contain "scp" property" occurs when application permissions are not granted admin consent by Administrator.
I did not receive scopes which are nothing but roles when application permissions are given.
It Is because they are not granted admin consent.
When they are given a proper consent through portal by admin or during users login .
Then they can be seen. So while calling other API please make sure you have each of the scopes given admin consent granted .
Then you can see them reflected in token which is used to call API:
Please make sure to give scopes with /.default when using client_credential flow.
Example: api://xxxxxxx/.default
Make sure to check mark Id_token in authentication blade .
We have register new app in Azure AD use clientid and client secret to login and check other user details but now we removed all permission for the clientid and check using postman as well as from application,but its still login to app and able to get the other users details using https://graph.microsoft.com/v1.0/users for users and https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token for token. Question is how user is getting the access when all permission already revoked?
Even you revoked all permissions, please try resetting the signInSessionsValidFromDateTime user property to current date-time.
This must be performed by user or administrator.
By doing this, it deletes all the session cookies stored in user's browser that removes all the refresh tokens issued to application for a user.
Please ensure to have User.ReadWrite.All, Directory.ReadWrite.All permissions.
To revoke sign-in sessions from Microsoft graph explorer, try using the below query,
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions (Or)
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.
Please find below links if they are helpful.
References:
user: revokeSignInSessions - Microsoft Docs
App can still get data via Microsoft Graph API after user revoke permission from My Apps Portal
I am trying to access the Online Meetings Graph API (Beta version) using developer tenant. I am able to login successfully to the developer tenant but not able to get the Token to access the graph API for Application type graph APIs. I am able to get the token for delegated type Graph APIs successfully and able to connect to the Graph API.
I given the admin consent for these APIs using button "Grant admin consent for [0]" in Azure Active Directory => App Registrations => My App => API Permissions in the Azure portal. I am able to see the success message as "Granted for [my Tenant]".
But I am getting the error saying "AADSTS65001: The user or administrator has not consented to use the application" while getting the token. I am using ConfidentialClientApplication class and AcquireTokenByAuthorizationCodeAsync method to get the token.
So is there any other place I need to verify for the consent or for developer Tenant and for these Beta APIs, I need to check any other process ?
Thank You for Your Time,
Rishi
I tried for delegated APIs (User.Read and Contacts.Read) and working fine on developer tenant. While doing trail and error I got error saying Invalid Scope (OnlineMeetings.ReadWrite.All) couple of times.
For Application type graph APIs, you should use client credentials flow to get the token.
Make sure you add the application permission and grant admin consent for it.
Here's a screenshot of the API call in Postman. I'm getting the token and using it here.
I'm getting 401 Unauthoized with no response. Is it because of the permissions within the app registration?
I've the following permissions for Power BI Service and Windows Azure Active Directory:
But when I click on grant permissions I get the error:
So, does the admin need to grant permission for this app (Web app / API) for it to work?
UPDATE
This is the API I call to get the access token.
https://login.microsoftonline.com/parkercorp.onmicrosoft.com/oauth2/token
POST BODY:
client_id: app_registration_clientId
client_secret: app_registration_client_secret
grant_type: client_credentials
resource: https://analysis.windows.net/powerbi/api
scope: openid
This is the decoded token as suggested by Tom Sun.
So, does the admin need to grant permission for this app (Web app / API) for it to work?
The root reason for granting permission failed is that you need admin consent that your admin can do it.
As you want to access the powerBI resource, so just need to check PowerBI service premission.
But cccording to your screenshot, you are trying to call Get Dashboard API.
GET https://api.powerbi.com/v1.0/myorg/dashboards/{dashboardKey}
Based on the document, required scope is Dashboard.ReadWrite.All or Dashboard.Read.All. It is no need to require admin consent.
401 error means that no permission to access the resource.
We could use the JWT.io to to decode the token to check the aud and permissions.
If possible, you could add the code how to get the token that will be more helpful.
When you have a permission checked that says "Requires Admin", then yes, you need an admin to click Grant Permissions. However, I don't think the two you have selected in your screenshot above are necessary for what you're trying to do. Try unchecking them, granting permissions, and running the request again.
We've migrated to a new tenant where I work. As such we are trying to re-add our applications into Azure AD. We have a documented process that has worked in the past in order to add applications for our MVC and WebAPI projects. However, we've been getting errors when attempting to query the Graph API. In the example application we've used the code from here to create a custom authorize attribute that allows us to group based authentication. After debugging the /Utilities/GraphHelper.cs we've determined that the application is getting a Status Error of 403 with a message that states: "Insufficient privileges to complete the operation."
After doing a bit of research I was able to replicate the Authentication process in Fiddler.
Action Method: POST
URL: https://login.windows.net/[tennantName]/oauth2/token?api-version=1.0
Header Block:
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 180
Expect: 100-continue
Connection: Keep-Alive
RequestBody:
grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=[clientId]&client_secret=[urlencoded client secret]
I get back a token from this request and then attempt to query the federated directory from the graphapi again with fiddler:
Action Method: GET
URL: https://graph.windows.net/[federated domain]/directoryObjects/{group-guid}
Header Block:
Content-Type: application/json
Host: graph.windows.net
Authorization: Bearer [token from login response]
I receive and 403 response with the body:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
In Azure Active Directory, Under App Registrations for this application the manifest has been modified by a user with Company Admin Role for:
"groupMembershipClaims": "SecurityGroup", ...
"oauth2AllowImplicitFlow": true,
An Application Key was generated that is used for fetching a token to access the graph API.
Under Required Permissions for Application Permissions Read directory data, and Read all hidden memberships were checked by a user with Company Admin Role.
I'm out of ideas everything should be working.
I called MSFT support for Azure, apparently there is an issue with portal.azure.com assigning permissions. I was able to resolve this by going to the classic portal and getting the permissions reassigned.
Access that a client app has to the AAD Graph API is dependent on the permissions you have registered on your application.
Note that there is a section in the app registration process called "permissions to other applications" where you will need to specify the Graph API as a resource you want to call, and you must specify with what level of permissions you need to call that API.
Read more here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/
On your web client application’s configuration page in the Azure classic portal, set the permissions your application requires by using the drop-down menus in the Permissions to other applications control.
You can read more about the various scopes/permissions that the Graph API exposes here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Selecting these permissions are the first step, but it is not quite enough to actually get your app the right access it needs. The step you are missing is consent. Every application needs some level of user consent in order to access their tenant's data via the Graph API. Even if your application is doing App Only Flows (acting as a Daemon Service using the Client Credential Flow), you will still need the initial permissions to be consented to by the admin of the tenant where you want to get access to the data. This means the first time you want to use the application, you will have to trigger an interactive login experience. This process may happen 'automagically' when you use the "management.windowsazure.com" portal if you are an Admin configuring the app, since they automatically consent to the app on your behalf, however in all other scenarios you will have to follow the normal process of obtaining user consent yourself.
Once you have correctly configured your app with the right permission scopes, and have obtained consent, you should see in your access tokens 'scopes' or 'role' claims which represent the permissions your application is authorized for.
Using this knowledge, I hope you will be able to resolve the issue you are facing.