So basically I need to access the contacts of an office 365 user.
I use the Microsoft graph API and I successfully can get all the contacts via an HTTP GET in a JSON. But now I'm trying to write a JSON to the https://graph.microsoft.com/v1.0/me/contacts API with an HTTP POST, but I get a 403 - Permission Denied every time. So I went to https://jwt.io/ and checked my access token and saw that I don't have the permissions to write in the contacts.
I get those permissions:
"scp": "Contacts.Read openid profile User.Read"
Even though I only set Contacts.ReadWrite in the App Registration settings on the Azure portal.
Permissions
I've tried updating the permissions but that didn't help.
If you have changed the permissions, users need to consent again.
You can force user consent through a url request, append &prompt=consent to the authentication request URL.
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={your_client_id}
&response_type=code
&response_mode=query
&resource=https://graph.microsoft.com
&state=12345
&prompt=consent
Or you just grant consent on behalf of all users in this directory. Granting admin consent for all users means that end users will not be shown a consent screen when using the application.
Related
I'm having a bit of a difficult time trying to figure out what I'm doing wrong. I've registered an application with Azure portal and I keep getting a 403 error after the Oauth2 is completed and when I request the user data when hitting https://graph.microsoft.com/v1.0/me
Full error:
Client error: `GET https://graph.microsoft.com/v1.0/me` resulted in a `403 Forbidden` response:
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-11-29T21:40:18","request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451","client-request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451"}}}
I'm using the PHP SDK to do this, and I had it working with another app but with this new app I can't seem to do it.
This is the API Permissions I have available for the Application:
There are so many permissions, i'm not sure why I'm getting 403? I don't see what scope I'm missing? On the PHP SDK side, I've included all the scopes as in the image.
I tried to reproduce the same in my environment.
Here I used client credential flow to get the token
I tried to query the graph /me end point , it requires delegated authentication .
Calling the https://graph.microsoft.com/me endpoint needs a signed-in user and so a delegated permission.
So even if the delegated permission is given , if client credentials flow is used as grant_typy , there will be 403 forbidden error.
I tried the same with authorization code flow and could sign in user and get details successfully.
Another criteria ,I tried the same for users endpoint
https://graph.microsoft.com/v1.0/users
Required permissions:
Here the admin consent is not granted for the User.Read.All application permission
Make sure the application permissions required for your query are granted admin consent directly through portal or during authentication of user account with which the query is made.
Then the request can be queried successfully.
Reference: Get a user - Microsoft Graph v1.0 | Microsoft Learn
We have register new app in Azure AD use clientid and client secret to login and check other user details but now we removed all permission for the clientid and check using postman as well as from application,but its still login to app and able to get the other users details using https://graph.microsoft.com/v1.0/users for users and https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token for token. Question is how user is getting the access when all permission already revoked?
Even you revoked all permissions, please try resetting the signInSessionsValidFromDateTime user property to current date-time.
This must be performed by user or administrator.
By doing this, it deletes all the session cookies stored in user's browser that removes all the refresh tokens issued to application for a user.
Please ensure to have User.ReadWrite.All, Directory.ReadWrite.All permissions.
To revoke sign-in sessions from Microsoft graph explorer, try using the below query,
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions (Or)
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.
Please find below links if they are helpful.
References:
user: revokeSignInSessions - Microsoft Docs
App can still get data via Microsoft Graph API after user revoke permission from My Apps Portal
I'm trying to figure out how to integrate an external app with Microsoft CDS Web API. The first step would be to try the Wep API with Postman. Following this document I could authenticate and make requests to the API using the client id provided in the document. However, when I try to register my own app in my AAD, I can't get the access token in Postman without having first to request the admin for consent.
I followed the instructions in this document to register the app, plus I allowed implicit flow. A did this in a trial account, where I'm the admin and then I tried retrieving the token with an user of another tenant (where I'm not an admin) it tells me to ask the tenant for consent.
Do you know how to register the app without non-admin users having to request admin consent?
Edit:
The registrated app has the following permissions, where none of them require admin consent:
Screenshot of the selected permission
The tenant which the non admin-users belong to has the following configuration for users being able to consent access:
Screenshot of user settings
Anyway, I assume these last settings would not be the problem because when requesting the token with the client id provided by Microsoft in the example of the first link, I do not require the consent from the admin.
Just for the sake of clarity, this is the step that I would like to remove from the authorization process:
Screenshot of the consent request screen
First of all you need to know that not all permissions require admin consent.
Dynamics CRM user_impersonation permission doesn't require admin consent.
But you need to make sure all the permissions added into your registered app don't require admin consent. As long as any permission requires admin consent, then admin consent cannot be bypassed.
Besides, make sure this configuration has been abled in the tenant(which the non-admin users are from).
UPDATE:
You are correct. After testing, I found that this permission does require admin consent. I believe this is an error in the documentation. It seems that the conclusion is that we cannot bypass admin consent.
I am trying to connect to API through Client AAD details(clientid,client secret) using "client_credentials" grant_type, I am able to fetch the token with API scope but when I use that token to retrieve API results, I am getting 401 unauthorized error.
I am trying to understand what kind of permissions are required on API AAD for Client AAD to accept the token. Please help me to understand this.
Following are the permissions on both AAD :
API AAD:
User.Read - > Delegated - > Sign In and read user profile
Client AAD:
User impersonation - > Delegated - > FOR API AAD
Microsoft Graph - Delegated,Application ->User.Read.All
Thanks,
Deepak.
If you use Client Credential flow to obtain an access token, you must create an application and grant application permissions to the application (this is because Client Credential flow has no user interaction).
Before that, you need to understand the difference between delegated permissions and application permissions:
Application permissions allow an application in Azure Active Directory to act as it's own entity, rather than on behalf of a specific user.
Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user.
Then you need to define the application permissions by editing the list of api applications.here is an example.
Refer to this document and use Client Credential flow to get access tokenhere:
1.First you need to get the administrator's consent:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
2.Then you can get the access token by sharing the secret:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
Parse the token and you will see your custom roles:
Okay, now you can use the token to access your resources.
Here's a screenshot of the API call in Postman. I'm getting the token and using it here.
I'm getting 401 Unauthoized with no response. Is it because of the permissions within the app registration?
I've the following permissions for Power BI Service and Windows Azure Active Directory:
But when I click on grant permissions I get the error:
So, does the admin need to grant permission for this app (Web app / API) for it to work?
UPDATE
This is the API I call to get the access token.
https://login.microsoftonline.com/parkercorp.onmicrosoft.com/oauth2/token
POST BODY:
client_id: app_registration_clientId
client_secret: app_registration_client_secret
grant_type: client_credentials
resource: https://analysis.windows.net/powerbi/api
scope: openid
This is the decoded token as suggested by Tom Sun.
So, does the admin need to grant permission for this app (Web app / API) for it to work?
The root reason for granting permission failed is that you need admin consent that your admin can do it.
As you want to access the powerBI resource, so just need to check PowerBI service premission.
But cccording to your screenshot, you are trying to call Get Dashboard API.
GET https://api.powerbi.com/v1.0/myorg/dashboards/{dashboardKey}
Based on the document, required scope is Dashboard.ReadWrite.All or Dashboard.Read.All. It is no need to require admin consent.
401 error means that no permission to access the resource.
We could use the JWT.io to to decode the token to check the aud and permissions.
If possible, you could add the code how to get the token that will be more helpful.
When you have a permission checked that says "Requires Admin", then yes, you need an admin to click Grant Permissions. However, I don't think the two you have selected in your screenshot above are necessary for what you're trying to do. Try unchecking them, granting permissions, and running the request again.