Develop Reference

How to get access token for subscription in a different tenant?

I'm trying to use "invoke an http request" action in power automate to query a log analytics workspace. I have access to perform this from azure portal. I referred this Microsoft article to get the URI. But when I try to execute the flow, I get the below error:
Complete error message:
{
"error": {
"message": "The provided authentication is not valid for this resource",
"code": "InvalidTokenError",
"correlationId": "45e0ff0c-01f1-4ea5-a11d-ec6ce2d71b8b",
"innererror": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/687f51c3-0c5d-4905-84f8-97c683a5b9d1/'. It must match one of the tenants 'https://sts.windows.net/2f4a9838-26b7-47ee-be60-ccc1fdec5953/,https://sts.windows.net/a6eb2ff5-3009-4bfc-b769-24a2f82c1913/' associated with this subscription. Please use any authority (URL) from 'https://login.windows.net/2f4a9838-26b7-47ee-be60-ccc1fdec5953,https://login.windows.net/a6eb2ff5-3009-4bfc-b769-24a2f82c1913' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
}
The analytics workspace that I'm trying to query is not under my AAD tenant. It is under another tenant/directory, which I have access from portal. How can I get the access token so that I can execute this query?
I have already tried the action "Run query and list results" in power automate, which gave the same error.
Any suggestions?

Please check below points:
Please check if you have multiple subscription .So while
requesting access token , it is the tenant which is not part of the
subscription that you might have selected. In such a case try to
change the settings and make your subscription map to the directory
which you want to use.
In some cases browser tries or attempts to get an access token from
already logged in tenant .So If its under same subscription, try to
check after clearing the cache
You can also put required tenant ID in the enviroment settings of
your particular app, using DefaultAzureCredential()
Or Configure the authority defining the tenantId
https://login.microsoftonline.com/{tenant-id} for multiple tenants
Signing in once to access to all the Azure Log Analytics data from
all tenant may not be feasible.It may require reauthentication .
Check this way to get
the accesss token for that particular tenant Request an
authorization token - Azure Monitor | Microsoft Docs and use the
token to call the log analytics workspace
References:
Query - Execute - REST API (Azure Log Analytics) | Microsoft Docs
azure log analytics - Valid authentication was not provided - Stack
Overflow

Check if users deleted in clients Azure AD

I am integrating Login with Azure AD for one of my clients on my website. I am only targeting one specific group in their organisation, and not everybody in the entire organisation.
This new feature has 2 requirements:
We need to create an account for people logging in via their email using our clients Azure AD.
We need to run a CRON job daily to check if anybody has been removed in their AD (due to them leaving the company), so we also need to remove their profile in our application.
For number 1, I think it's sufficient to call the /authorization, /token and /userinfo endpoints. Is this correct?
But for number 2, I am having issues to see how this is possible.
When browsing the graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) I can find the following 2 API methods:
GET all users in the organization /users ---> But i am unsure whether this returns all the users in their AD, or only the ones applicable for my application?
GET direct members of a group with count /groups/<id</members ---> Is this the one I am looking for when they are assigned into a specific group?
I've also found this SO link : https://stackoverflow.com/a/64553305 which talks about saving the access token and refresh token. Is it possible if I save these two to fetch the userinfo at any point in time? This way I could possibly query all the created accounts each day and if one of them returns a status deleted, or empty I know the account no longer exists? Or is this not an option?
Thanks in advance!
UPDATE:
I noticed that my client granted me the User.Read and User.Read.All graph permissions.
But i'm not certain how to call this API? When calling this API in Postman :
https://graph.microsoft.com/v1.0/users/123-this-is-the-id
I am getting the following response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token is empty.",
"innerError": {
"date": "2021-10-07T12:59:05",
"request-id": "...",
"client-request-id": "..."
}
}
}

Microsoft Graph to send mail with Client Credential Flow (application permission) and personal account

I am learning Microsoft Graph and for this I use Graph Explorer and Postman.
With Graph Explorer : I am Signed In with my personal user account (hotmail). As soon as I am connected, I can see the token. Strangely when I copy/paste this token in jwt.io it cannot be decoded. Yet I can perform query like https://graph.microsoft.com/v1.0/me which returns me some infos of myself as a user (with http 200). Or this query https://graph.microsoft.com/v1.0/me/sendMail which allow me to send a test and receive a test mail (with http 202). All of these requests was "delegated permission". So I don't have any problem using Graph Explorer with my personnal account (hotmail).
With Postman : this time I will perform some tests with "application permission". I followed the steps below:
On the Azure Portal
Step 1: App registrations / New registration / I give a name / Choose the 3rd account type (Accounts in any organizational directory and personal Microsoft accounts) / Click on Register button
Step 2: Api permissions / Add permission / Microsoft Graph / Application permissions / Mail.Send (send mail as any user)
Step 3: Grand admin consent for... button to activate the permission
Step 4: Certificate & Secrets / New client secret / Enter a description / Click Add button
Step 5: Obtain a token in Postman
POST
https://login.microsoftonline.com/{my-tenant-id-here}/oauth2/v2.0/token
HEADERS
Content-Type: application/x-www-form-urlencoded
BODY
client_id: {my-client-id-here}
client_secret: {my-client-secret-here}
grant_type: client_credentials
scope: https://graph.microsoft.com/.default
OK I got a token
When copy/paste this token in jwt.io I see this:
Step 6: Query for listing all users
GET
https://graph.microsoft.com/v1.0/users
AUTHORIZATION
Bearer token: {bearer-token-received-previously}
HEADERS
Content-Type: application/json
OK I got infos for all users (as json)
Step 7: Query for sending a mail
POST
https://graph.microsoft.com/v1.0/users/{user-principal-name}/sendMail
AUTHORIZATION
Bearer token: {bearer-token-received-previously}
HEADERS
Content-Type: application/json
BODY (JSON)
{
"message": {
"subject": "This is my subject",
"body": {
"contentType": "Text",
"content": "This is my content"
},
"toRecipients": [
{
"emailAddress": {
"address": "thierry.langie#skynet.be"
}
}
],
"ccRecipients": [
]
},
"saveToSentItems": "false"
}
NOT OK Error: MailboxNotEnabledForRESTAPI - REST API is not yet supported for this mailbox
I would like to know why I got this error ? I can send email with Graph Explorer (when using delegated permission) and not with Postman (when using application permission).
As you can see below, I grant admin consent in Enterprise applications on the Azure Portal.
I read somewhere that the error means the user doesn't have the mailbox in EXO cloud. EXO is O365 Exchange Online Cloud. So if you don't have mailbox in the cloud O365 Exchange REST APIs will not work for these users. If that is the case, what would you do ?
I have a Web application which should send mails from a shared mailbox. No matter which user is connected, this is always the same mailbox which is used to send mails. That's why I go with "application permission" and "Client credential flow".
As explained above, I use my personal account (hotmail) for testing purpose but in production I'll use a work account (not accessible from my dev environment).
As a side note, I know there are libraries to facilitate the process and avoid using REST API calls (urls) but I don't think that can explain the problem I am facing.

"MailboxNotEnabledForRESTAPI - REST API is not yet supported for this mailbox" This error message means that the email account you are using to send email doesn't have an Exchange Online license.
For a personal account, you should use Delegated permission, which you have tried in Microsoft Graph Explorer. See Permissions here.
.
If we add the personal account to your tenant as a guest user, although we can Assign a license to a guest user (I assume we can assign EXO license to the guest user), the mailbox hosted in EXO is different from the mailbox of the personal account. They are totally 2 separated mailboxes. And in fact I failed to assign EXO license to the guest.
So in this case Client Credential Flow applies to the AAD users, not the personal account.
UPDATE:
For personal account which uses Delegated permission (you have tried in Microsoft Graph Explorer), the authority endpoint is https://login.microsoftonline.com/commonm/oauth2/v2.0/authorize or https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize.
But when you use client credential flow with Application permission, you have to specify the tenant id in the request https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize.
Although your personal account is added into the tenant as a guest user, it doesn't have EXO license (based on test we are unable to assign EXO license to it), so it won't be hosted in O365.
That is why we can't use client credential flow with personal account.

How do list all applications in Graph Explorer with my Azure free account?

I want to learn Azure directory services, so I created a free Microsoft Azure account to play around with Azure, and then I created a new App registration at portal.azure.com. So I have this registered application in Azure with a Client ID, Tenant ID, and even a Client Secret, because I want to learn API permissions with this app.
Now in the Microsoft Graph Explorer, I want to try using API methods like Get Application and List Applications.
However, if I log in and run the API to list my applications (GET https://graph.microsoft.com/beta/applications), the response has an empty array of applications.
Also if I try to GET the specific app that I registered in AD, I get a 404: Resource Not Found found error.
What am I doing wrong? How can I use the Graph Explorer with my test Azure account so my registered application can be retrieved and edited with Microsoft Graph APIs?
More Details Below
When I run GET https://graph.microsoft.com/beta/applications in Microsoft Graph Explorer, I expect a list of my applications, including the one app I registered in Azure. Instead, here is the response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
When I run GET https://graph.microsoft.com/beta/applications/{client-id}, with my registered app's client-id, I expect all the details of my registered app, but instead, the response is error 404:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "*****",<--I commented this out
"date": "2019-05-28T20:17:11"
}
}
}
If this were a permissions issue, I would expect unauthorized errors instead of "resource not found". I've tried adding Microsoft Graph permissions to my registered App (Directory.Read.All, Directory.ReadWrite.All), but this hasn't helped.

This is nothing to do with Azure free account. If you login in Graph Explorer using outlook account, it will identify this account as a personal account(with tenant outlook.com). That's why you can not find the applications you created in your tenant.
It is recommended to create a new user in your tenant to do the tests.
Here are the steps.
1.Click Azure Active Directory->Users->New User. The username should be something like username#{your tenant name}(XXX.onmicrosoft.com)
2.After the creation, add the roles for this user.

I'm getting a 403 Forbidden error with the Google Wallet Objects API

I'm getting the following when trying to authenticate using OAuth2 using the Java client library:
Error:
Code was 403
Msg: Forbidden
{
""error"": {
""errors"": [
{
""domain"": ""global"",
""reason"": ""insufficientPermissions"",
""message"": ""Insufficient Permission""
}
],
""code"": 403,
""message"": ""Insufficient Permission""
}
}
What could be causing this "Insufficient Permission" error?

If you are using Google Wallet Objects API, make sure that you share your Account in the Merchant Account with the Service Account Email Address (the one you got when you created your credentials - you can get this one from the cloud console https://cloud.google.com/console, the one that ends with #developer.gserviceaccount.com)
Login to the Merchant Dashboard, click on Account Management and then click on Share. Add the email to the list of users.
You'll also want to share your merchant account with any users you want to give preview access to your classes and discoverables.