I have created an application on Azure AD and I have assigned User.Read.All permission to my application.
That being said, I can generate an access token for the app from Postman. When generating access token I supply -
client_id: xxxx
client_secret: yyyy
grant_type: client_credentials
scope: https://graph.microsoft.com/.default
Using the generated access token (as header Authorization: Bearer zzzz) I send a GET request to https://graph.microsoft.com/v1.0/users/jhon.doe#domain.com. Which gives me error -
403 Forbidden
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "aaa-bbb-ccc-ddd",
"date": "2019-09-10T12:44:46"
}
}
}
Can anyone tell me what wrong I am doing?
Thanks in advance.
You need to add Application permissions.
Not delegated permissions.
In your screenshot we can see that they are delegated, which means they only apply in situations where there is a user involved in the authentication.
Since you use client credentials authentication, there is no user involved, only the app.
When you add required permissions, there should be an option to choose between Delegated and Application.
Choose Application, choose the necessary permissions, and grant them.
Related
We have a multi tenant registered application in Azure AD, lets call it Tenant A and we are trying to get access to the resources without the user by graph API.
Using following details, We successfully get the Token, if we try to work with resources for example create files or folder on a main tenant (tenant A).
But if we run the same code for another tenant for example tenant B (which is one of the tenantA 's tenant), we are getting error: "AccessDenied: Either scp or roles claim need to be present in the token."
And indeed there is no roles defined in the token.
I am wondering what I am doing wrong here? Do I need to set permissions/roles for tenantB as well?
url: https://login.microsoftonline.com//oauth2/v2.0/token
scope: https://graph.microsoft.com/.default
grant_type: client_credentials
client_id:
client_secret: <tenantA-client_secret>
"{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"date": "2021-02-04T14:28:13",
"request-id": "ca4565f7-aa56-4b00-9f46-09884ad39ff6",
"client-request-id": "ca456ufo-ab5m-4b99-9f46-09pp4ad39ff6"
}
}
}"
scopes for tennat A:
You have found the solution, post it as an answer to end the thread:
The admin must confirm the consent that was the whole issue, after
confirming the consents by Admin all works as expected.
As you imagine, when you use the multi-tenant application in tenant B, it still has to obtain the consent of the administrator of tenant B for all permissions.
I found the SOLUTION:
The admin from tenant B must confirm the consent, after confirming the consents by Admin all works as expected.
I'm using graph rest api for writing a draft mail.
First, I called the authorize method with the https://graph.microsoft.com/.default scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_CLIENT_ID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&scope=https://graph.microsoft.com/.default
With the obtained code, I called the token method with the same scope:
https://login.microsoftonline.com/common/oauth2/v2.0/token
With this token, I am able to get messages without any issues, but when I try to create a draft by calling: https://graph.microsoft.com/v1.0/me/messages/ I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7fafbb5a-ab6d-4dbc-bb73-69d58b00f7ac",
"date": "2019-11-26T20:48:24"
}
}
}
As stated in the documentation (https://learn.microsoft.com/en-us/graph/api/user-post-messages?view=graph-rest-1.0&tabs=http) I have set the Mail.ReadWrite permission in my registered Azure app and granted admin consent. Am I missing something?
I checked Graph logs and that call to Microsoft Graph did not have the Mail.ReadWrite permission. Can you try adding that permission to the scope query param in your implicit auth flow call instead of .default? (If you need multiple permissions you can list them all in the scope param separated by spaces)
I am trying to get the Azure AD Groups a user in member of:
https://graph.microsoft.com/v1.0/users/<user_id>/memberOf
For some users I am getting the requested information but for others I am getting this error:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "fd9345ee-ee2f-4dfb-b7e8-ca53d0c804d9",
"date": "2019-07-03T15:50:25"
}
}
}
I'm getting the token using Client ID + Client Secret.
The app has these privileges:
(Application) Groups.Read.All
(Application) Users.Read.All
As I am getting the groups for some members it seems this is not a lack of privileges at Azure app level.
Can you please help me on this?
Thanks in advance!
PS: Fix by Caiyi Ju: "Since you are using client credential flow, you need to grant Directory.Read.All permission (application)."
Since you are using client credential flow, you need to grant Directory.Read.All permission(application).
You need Directory.Read.All Delegated permission You could check here
See how you could do it.
Delegated Directory.Read.All Permission
After adding permission don't for get to click Grant Consent
Post Man Test:
I am working on daemon service that retrieves the list of contacts from Microsoft Graph, that does not prompt Microsoft Authentication to the user. However, I'm not able to retrieve the permissions I set in Microsoft Azure even with granted admin consent.
I use Postman to generate a token with the following information.
https://login.microsoftonline.com/0835055b-8a00-4130-b07a-037430dd000d/oauth2/v2.0/token
The following json is the result I get
{
"token_type": "Bearer",
"scope": "profile openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": "{MY_TOKEN_HERE}"
}
Token is generated successfully but the token returned does not include the permission with granted admin consent I set in MS Azure at portal.azure.com > Registered App > API Permission.
I have Microsoft Graph - Users.Read and Contacts Read with green ticks on admin consent required. See image below:
Microsoft Azure - API Permission
And without the scope, I'm not able to retrieve the list of contacts with given token.
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "63a24a22-34f7-42a1-a9d5-d7aaf598f4d6",
"date": "2019-07-01T02:59:15"
}
}
}
Is there anything I missed? I assumed when the admin has granted consents, I should be able to include the API in scopes to generate tokens.
I saw there is a similar issue here but there is no solutions that work for me:
Microsoft graph API: Unable to fetch users with the generated access token
Based on your screenshot, the contacts.read you granted is an application permission. And, you have only one delegated permission: user.read .
However, if you want to call the graph api : graph.microsoft.com/v1.0/me/contacts , you need to use delegated permission. It will represent the user. So you can get the information for "me". And based on the official documentation , you need to grant the Contacts.Read (Contacts.ReadWrite for writing) delegated permission.
If you want to use application permission, then you need to get access token with client credentials flow. Token got in this way can be used for application permission. And you should call the api as following : graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts
I am trying to have access to information in "/me" with Graph API for a personal account using Azure AD v2.0 but I receive the following error. It works with organizational accounts.
{
"error": {
"code": "UnknownError",
"message": "{\"Status\":500,\"Message\":\"All the offeractions povided in the property bag cannot be validated for the token.\\u000d\\u000a\"}",
"innerError": {
"request-id": "39e23062-80ad-4872-86a7-39f5a5d928ce",
"date": "2017-02-23T15:35:06"
}
}
}
I have the permission User.ReadBasic.All
The scope User.ReadBasic.All grant the permission to read the basic profile of all users in the organization on behalf of the signed-in user. This scope is t only supported for the Azure AD Account. If you just want to read the user’s profile for the Microsoft Account, you could use the scope User.Read . Code flow steps below is for your reference :
Get the authorization code :
Get : https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=<client id>&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
Then get the token :
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=<code>&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&client_id=<client id>&client_secret=<client secret>