I am trying to get a list of users from azure ad using graph api. I have got the access token by using the below query:
https://login.microsoftonline.com/<tenant-Id>/oauth2/token
I got below response:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1559555742",
"not_before": "1559551842",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEQ29NcGpKWHJ4VHE5Vkc5dGUtN0ZYUy1XcWZRa2RmUmVnSVJfWE4yLXdYSFZwLXJKdlltcWVzTzAwSmd1V2dJOVVQUVBWbldScjhtZjM1SHhXblhFcWhIMVlWY1Y2NlYS00ZTE1LTQ0NWEtOTM0Ni02YTBhOGQxN2UxOTYvIiwib2lkIjoiYzE0YzFlYmEtYzExMS00ZmMxLTllYjAtYTJmNGMwNjg4MDEyIiwic3ViIjoiYzE0YzFlYmEtYzExMS00ZmMxLTllYjAtYTJkKgCbMg5jElY2I83cKpRos6Jti3SUYIVTYiyF__gMsKzCQWgRZFUWnTi7syaypCrPEExPw_OMRJMNMOrYixTBZjwUi0H6ThGNxQOMt5mXhzvlVYRMdyChdmv4r2-JK-LX9yjBN8BWG78e3FYhWQCRERh5H3zNpdX1ln79QY38mhn-XJViA2vX-VCYqZhoUo-c_iR-_HZ3CLCHxRxgRHtT_oGXuX1Kegxo3F6FsuQ2Vj1WT5VjCRGCi71pY_lU_EROzkLdefS84fur4jBawvd1ccCf8u9U0kYy3xu0m02wNxKPe2Weg"
}
Once I have the token, I am referring to this link and using below url to get the user list:
https://graph.microsoft.com/v1.0/users
and also passing the token in header but getting below error:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"request-id": "f03e6cc4-1888-406d-9ee4-2558b96e7fb4",
"date": "2019-06-03T09:22:30"
}
}
}
I am doing this from postman as of now but later have to do it from python script. Can anyone please suggest what is wrong here. Thanks
It seems you are trying to fetch user list using Microsoft Graph. To do that see the following steps:
Azure portal Permission:
Go to your Azure portal tenant and set below permission on "API permissions" menu. See the screen shot below:
See the Application Permission Like below:
Do the same for dedicated permission. See the dedicated permission below
Your Permission should look like below:
Request for Token:
Send request to your token endpoint with your credentials. Like below:
Decode Token and Check Permission:
Once you get your token make sure on https://jwt.io/ that your token contains required permission like below:
Request For User List
In this stage add your token on Type as bearer token, paste your token on Token text box and click send:
Get The Users List:
You will get your User List as specified in below screen shot.
You could follow the steps as below.
1.In your AD App -> API permissions -> Add a permission -> select Microsoft Graph -> Application permissions -> User.Read.All -> click Add permissions -> click Grant admin consent for xxx
2.Use the client credentials flow to get the access token.
3.Then you could use the token returned by step 2 to call the MS graph api, it should work.
Related
I'm using graph rest api for writing a draft mail.
First, I called the authorize method with the https://graph.microsoft.com/.default scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_CLIENT_ID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&scope=https://graph.microsoft.com/.default
With the obtained code, I called the token method with the same scope:
https://login.microsoftonline.com/common/oauth2/v2.0/token
With this token, I am able to get messages without any issues, but when I try to create a draft by calling: https://graph.microsoft.com/v1.0/me/messages/ I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7fafbb5a-ab6d-4dbc-bb73-69d58b00f7ac",
"date": "2019-11-26T20:48:24"
}
}
}
As stated in the documentation (https://learn.microsoft.com/en-us/graph/api/user-post-messages?view=graph-rest-1.0&tabs=http) I have set the Mail.ReadWrite permission in my registered Azure app and granted admin consent. Am I missing something?
I checked Graph logs and that call to Microsoft Graph did not have the Mail.ReadWrite permission. Can you try adding that permission to the scope query param in your implicit auth flow call instead of .default? (If you need multiple permissions you can list them all in the scope param separated by spaces)
I am working on daemon service that retrieves the list of contacts from Microsoft Graph, that does not prompt Microsoft Authentication to the user. However, I'm not able to retrieve the permissions I set in Microsoft Azure even with granted admin consent.
I use Postman to generate a token with the following information.
https://login.microsoftonline.com/0835055b-8a00-4130-b07a-037430dd000d/oauth2/v2.0/token
The following json is the result I get
{
"token_type": "Bearer",
"scope": "profile openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": "{MY_TOKEN_HERE}"
}
Token is generated successfully but the token returned does not include the permission with granted admin consent I set in MS Azure at portal.azure.com > Registered App > API Permission.
I have Microsoft Graph - Users.Read and Contacts Read with green ticks on admin consent required. See image below:
Microsoft Azure - API Permission
And without the scope, I'm not able to retrieve the list of contacts with given token.
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "63a24a22-34f7-42a1-a9d5-d7aaf598f4d6",
"date": "2019-07-01T02:59:15"
}
}
}
Is there anything I missed? I assumed when the admin has granted consents, I should be able to include the API in scopes to generate tokens.
I saw there is a similar issue here but there is no solutions that work for me:
Microsoft graph API: Unable to fetch users with the generated access token
Based on your screenshot, the contacts.read you granted is an application permission. And, you have only one delegated permission: user.read .
However, if you want to call the graph api : graph.microsoft.com/v1.0/me/contacts , you need to use delegated permission. It will represent the user. So you can get the information for "me". And based on the official documentation , you need to grant the Contacts.Read (Contacts.ReadWrite for writing) delegated permission.
If you want to use application permission, then you need to get access token with client credentials flow. Token got in this way can be used for application permission. And you should call the api as following : graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts
I am trying to call graph api to get user information. I am using postman to get the token first and then using that token trying to make a request to graph api
I get the token with below post request and with 4 key values for grant_type, client_id, client_secret and resource.
https://login.microsoftonline.com/{{tenantid}}/oauth2/token
The response is
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1555583717",
"not_before": "1555579817",
"resource": "https://management.azure.com/",
"access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNiIsIng1dCI6IkhCeGw5bUFlNmd4YXZDa2NvT1UyVEhzRE5hMCIsImtpZCI6IkhCeGw5bUFlNmd4YXZDa2NvT1UyVEhzRE5hMCJ9.yyyyyyyLTBjYjZmZDNiM2UwNCIsInRpZCI6IjM3NGY4MDI2LTdiNTQtNGEzYS1iODdkLTMyOGZhMjZlYzEwZCIsInV0aSI6ImVWTWdDbkU4QWtPVXY3bFQ2QlRSQUEiLCJ2ZXIiOiIxLjAifQ.kxHCm2oGsuUvlXbncXQe7Wb0l-ZENqqG9_P_co0SPdYA3GkhFKDi6sQ7OaaHeDs4S6kN0-Diw5qBOzmFipSA5EUorA7UDbJfiSVVlaEzLY3IX_4WSV4Exc-kLOaX0j7KgvsEQbc5TEk8e4dPfokG98gGPmhy19xLyV84lX1v6DzgXINzP8gPkGmqR_J7iVFQ3m-Y18dHlxDpqQMTKxvQGnrsa7rflyxGUwEwwFZJH8t5NRv_mjQOIQBuosfhMAH88l-J8zEmXWLFqEzFBBWrz9UxT6X-XxRQZW4WBSoHTKd3vuBcEo6kUclfe4G7COOvI4zG0-j10mmGziKlzjNVMw"
}
Then I use the token to make GET request
https://graph.windows.net/{{company}}/users/{{email}}?api-version=1.6
and header
Key Value
Authorization Bearer {{token}}
but it fails with this error
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
}
}
}
What is the correct way to make a request to graph api ?
Updated answer according to your case
Okay I am showing the step from the beginning. Make sure you have complete following step exactly.
Step:1 : Application Registration
Go to your azure portal and click on azure active directory. Now click on App registrations and Enter a name for your app. Make sure you have select Web app / API as application type. Put any Sign on URL it does not have any impact though.
See the screen shot below:
Step:2 Application Configuration
Configure your application setting by clicking on settings option. Copy the Application Id which is your client ID. Generate your client_secret on Key menu. Now click on Required permission option and click on Add at new window. Choose Select an API choose Microsoft Graph Then Select it.
See the below screen shot
So your azure portal configuration is all set.
Step:3 Token Access Flow
For getting token I am using OAuth 2.0 Client Credentials Grant Flow. Let fire up POSTMAN Enter your token endpoint your like below:
https://login.microsoftonline.com/`YourTenantNameOrID`.onmicrosoft.com/oauth2/token
Enter following data in right format:
grant_type:client_credentials
client_id:Your Portal Application ID
client_secret:Your application Key
resource:https://graph.microsoft.com/
Note: I am using Microsoft Graph API so resource has chosen
//graph.microsoft.com/
See the screen shot for more details
Step: 4 Check Claims Of your Token
You can make sure your token contains required information by validating it claims on JWT. You can use https://jwt.io/ to validate your token.
See the picture of claims below:
Step:5 Access Your Microsoft Graph API Resource
Define your Microsoft Graph API resource URL
For example : https://graph.microsoft.com/v1.0/users
Select your API http verb
Select Your Token Type to Bearer Token
Enter your token on left token text box
You are done click send and check your response as expected. See the screen shot for details.
Request Format:
Response From API:
Note: Make sure you have resource access permission unless you would get access denied error.
For more information you could take a look here
If you have any more confusion feel free to ask in comment line. Thank you and Happy coding!
I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api
I'm trying to get the access token for the Microsoft Graph API in order to access a SharePoint document library. My application is a windows service, hence I'm following the procedure described here.
But when I try to get the access token, the response that I get doesn't have the scope value. Below is my response:
{
"token_type": "Bearer",
"expires_in": "3600",
"expires_on":"1492452559",
"not_before": "1492448659",
"resource": "https://graph.microsoft.com",
"access_token": "Token"
}
Because of this when I try to query the Graph API with this access token, I'm getting an error saying: Either scp or roles claim need to be present in the token
Can someone please help me on how to get this working? Thanks in advance.
That seems your client application hasn't set the appropriate app permissions when using client credential flow , below is an illustration of application permissions section in Azure AD classic portal. Please select appropriate permissions needed and retry :
And in addition , when using client credential flow to get the access token , you could check the roles claims in access token(that is the way to check the app permission, not in token response) , using a tool like http://jwt.calebb.net/ to decode the access token and check the app permissions :