I am trying to access the Online Meetings Graph API (Beta version) using developer tenant. I am able to login successfully to the developer tenant but not able to get the Token to access the graph API for Application type graph APIs. I am able to get the token for delegated type Graph APIs successfully and able to connect to the Graph API.
I given the admin consent for these APIs using button "Grant admin consent for [0]" in Azure Active Directory => App Registrations => My App => API Permissions in the Azure portal. I am able to see the success message as "Granted for [my Tenant]".
But I am getting the error saying "AADSTS65001: The user or administrator has not consented to use the application" while getting the token. I am using ConfidentialClientApplication class and AcquireTokenByAuthorizationCodeAsync method to get the token.
So is there any other place I need to verify for the consent or for developer Tenant and for these Beta APIs, I need to check any other process ?
Thank You for Your Time,
Rishi
I tried for delegated APIs (User.Read and Contacts.Read) and working fine on developer tenant. While doing trail and error I got error saying Invalid Scope (OnlineMeetings.ReadWrite.All) couple of times.
For Application type graph APIs, you should use client credentials flow to get the token.
Make sure you add the application permission and grant admin consent for it.
Related
So I am writing a .NET 6 Core Web Api using Azure AD as authentication for the API.
Now when using Graph API as example, you need to setup Graph API scopes in the App Registration. Lets use a delegated "user.read" permission for this example.
I use Postman to receive the access token for the application by authenticating as an user against Azure AD for the API. I would expect to receive a consent-screen so I can consent to the usage of "user.read". This does not happen though.. I get logged in and receive a valid access token. In the Backend though, it will throw an error because the user / admin did not consent to the application.
How do I get around this? Why don't I get asked to consent the permissions set up in the app registration? Neither in Postman, nor in a Swagger oAuth Flow..
My current workaround for this is to use a React application and sign in over the frontend application. Using the frontend application, I get asked to consent to the permissions. After consenting, I can use postman without getting the "user didn't consent" - error.
Any ideas? What did I miss?
Let's focus on the user-consent page first. When we created an azure ad app then add api permission for it, then use this azure ad app to make your .net 6 app/react app integrate azure ad to use azure authentication, and we go to the microsoft sign in page and successfully sign in, we will see a dialog which indicating that this app require you to consent a list of permissions. The permissions are correspond to the api permissions you set for the aad app. After consent once, then it won't ask you to consent again when sign in next time.
This consent only happened when users are signed in. Let's go back to the flows used to generate access token in Azure AD. Since you used delegate permission, then you may used the recommend Auth code flow(Another flow called ROPC flow can also generate delegate access token but not recommended). When we used auth code flow, we need to sign in first, the login url should look like this:
https://login.microsoftonline.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id=azure_ad_app_id
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=user.read
&state=12345
We need to use it to get the auth code, then we can use the code to generate access token, per my test, I created a new azure ad app and when I directly hit this url in the browser and sign in, it still required me to give the consent. So I'm afraid the reason why you didn't see the dialog when test in post man is that you've consent it when test in react app, or you don't use auth code flow.
I have a question about accessing the Microsoft Graph Api once a user is logged in through Azure Ad B2C. I am trying to migrate my app to login through b2clogin.com instead of login.microsoft.com and mostly it works except I can no longer call the Microsoft Graph Api to get the logged in user profile.
I have set up Postman as an Application in my B2C tenant and configured the api permissions with https://graph.microsoft.com/User.Read but when I try to get a token with the https://graph.microsoft.com/User.Read scope I get the following error
AADB2C90205: This application does not have sufficient permissions against this web resource to perform the operation
I am not sure what this error means but when I look at the signins for the user in the portal I see 3 signins.
The first has a status of Interrupted with an Failure Reason of
The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.
The second one has a status of Interrupted with an Failure Reason of
Application X doesn't have permission to access application Y or the permission has been revoked. Or The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. Or The user or administrator has not consented to use the application with ID X. Send an authorization request to your tenant admin to act on behalf of the App : Y for Resource : Z.
The third one has a status of Success
I have been looking through the documentation for days trying to figure this out.
I am missing some configuration I need to access the Microsoft Graph Api for a B2C user?
The setup you describe is not actually possible.
You have created an App Reg in the AAD blade and assigned the Ms graph permissions.
Then the error you receive is against the AAD B2C endpoint, not the AAD endpoint for which your app is made for (since AAD B2C apps cannot be assigned permissions for Graph api). So you have used an AAD app and tried to auth against the B2C endpoint - that won’t work properly.
You cannot access ms graph via a B2C user authenticated against the B2C endpoints.
You can access ms graph via an AAD user or AAD user inside a B2C directory via the AAD endpoints of an AAD or AAD B2C directory.
In a B2C scenario the normal pattern is to auth the user against B2C endpoints and have your API auth against the AAD endpoints using client credentials to gain access to Graph API and make operations on the users behalf.
I am trying to setup an API to be protected using Oauth 2.0 in Azure AD. I follow the steps in here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow.
The API has one scope - one application permission defined. I am able to add the API permission successfully to the client app, and have selected the right scope, as shown in the screenshot.
However, when I test the web app, after authentication the below error is thrown:
The application OAuthClientApp asked for scope approle that doesn
t exist on the resource 2700000003-0000-0000-c000-000000000000.
Contact the app vendor.
App permissions only apply when a client app uses client credentials only for authentication.
So when there is no user involved, app permissions apply.
A client can acquire an access token using their client id + secret/certificate with the scope your-api-client-id/.default or your-api-id-uri/.default.
Documentation for client credentials grant: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.
.default basically means "the permissions required statically by my app in the registration".
Since app permissions must be required statically, it makes sense to use it.
Authorization code grant, implicit grant and a few others involve a user in the authentication and only delegated permissions apply.
Remember to also grant admin consent for the app permission.
In the screenshot it says consent has not been granted.
I am new to Microsoft Graph API. I have read many articles on the web to understand the usage of Microosft Garph API for managing users in Azure AD. I am creating a Springboot based REST API service, which needs to create users in Azure AD.
I have registered my application in Azure Active Directory. I have also 'Directory.ReadWrite.All" permission for Microsoft Graph API. I wanted to first try to create the user from Microsoft Garph explorer. In the Graph Explorer, I have to give authorization token in the Request header. In order to create authorization token, I have followed the instruction given in the link https://learn.microsoft.com/en-us/graph/auth-v2-user. I have created the following URL based on the instruction, for obtaining Access token.
https://login.microsoftonline.com/{mytenantID}/oauth2/v2.0/authorize?client_id=validclientID&response_type=code&redirect_uri=https://localhost:4200&response_mode=query&scope=Directory.ReadWrite.All&state=12345
When the above URL is accessed from the web browser, I get a message which says "Need Admin Approval". I am not the admin of the Azure AD and I do not have access to the admin of my client, so I am really stuck. Can anybody help me understand whether I will have to get admin consent each time I need to access "create user" functionality of Azure AD through MS Graph API? . I would also also need the create user functionaltiy in the Springboot API. In this case, how would Admin Consent work?. Is there anyway that the create user functionality can work without Admin consent.
I have read the following two questions in SO before posting this question
How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?
Create user using Microsoft Graph
if you just want to create a user in your tenant , you can follow the steps below :
Create a new Azure AD app in your tenant, ask your tenant admin to grant "Directory.ReadWrite.All" permission to this app :
Create a app secret for your Azure AD app :
Use this secret and this Azure AD app ID to get access_token to call Microsoft Graph API :
Request URL :
POST https://login.microsoftonline.com/<-your tenant name->/oauth2/v2.0/token
Request Header :
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type:client_credentials
client_id:your client Id
client_secret: Your application secret
scope=https://graph.microsoft.com/.default
You will get an access_token from this API calling.
See the screen shot below:
3. Using the access_token we just created to call Microsoft Graph API to create a user :
As you can see , a user has been created :
If you have any further concerns , pls feel free to let me know : )
I have a following application architecture:
Angular 5 client
C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
Click Settings
Go to Required permissions
Click Add
Click Select an API
Select Microsoft Graph and click Select
Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph