I am working on a Sharepoint application. For my application, I have to fetch my details from Azure AD using Microsoft graph endpoints. I have generated the access token using /token endpoint and client_credentials grant type. When I use the token received in the response with the graph /users endpoint, I am getting an unauthorized error as shown in the below image:
On azure portal, all permissions are granted to microsoft graph API. Is there any configuration that is missing? How can I solve this unauthorized error?
Have not test with a v2.0 endpoint, if it is acceptable to use a v1.0 endpoint, you could refer to the steps.
1.Navigate to the Azure Active Directory in the portal -> App registrations -> New application registration, more details see this link.
2.Go to the AD App -> Keys -> generate a key for the AD App, copy the key value.
3.Then go to the Required permissions -> Add -> select the Microsoft Graph and Read all users' full profiles in the APPLICATION PERMISSIONS -> Save , note then don't forget to click the Grant permissions button.
4.I test it in the postman, specific the body what we need to get the access_token, the
client_id is the Application ID of the AD App, client_secret is the key vaule you copied, grant_type is client_credentials, resource is https://graph.microsoft.com/.
Sample:
POST https://login.microsoftonline.com/<Tenant ID>/oauth2/token?api-version=1.0
5.Use the access_token to call MS Graph API, in my sample, I call the List users api, it works fine.
I think you are missing the right scope in the token to use the "User" Endpoint.
Possible Scopes are:
User.ReadBasic.All
User.Read
User.ReadWrite
User.Read.All
User.ReadWrite.All
For further detail pls look here
Related
I created an app in App Registrations service in Azure portal to access Microsoft 365 graph api's.
I could create token using https://login.microsoftonline.com/570fa6c*************************f233/oauth2/v2.0/token , but when i tried https://graph.microsoft.com/v1.0/reports/getTeamsUserActivityUserCounts(period='D7') using the token generated above, i am getting error - We do not recognize this tenant ID 570****************f233. Please double-check the tenant ID and try again
I have a free trial subscription
Could you please help, what am i missing here.
Thanks,
Neema
I tested in my environment and it is working fine for me please use the below steps so you do not missed anything.
Created an application in Azure AD and given Application -> Report.Read.All API permission.
Generated access token using postman with below Parameter passed in Body.
https://login.microsoftonline.com/tenantid/oauth2/v2.0/token
Add an assignment to above AzureAD application with Reports reader Administrative roles in Microsoft Teams.
Add Assignment->Select Member->Search you application and add it.
Now finally run the getTeamsUserActivityUserCounts API with Authorization Key Bearer {token}.
For me showing the blackOuput as I have no activity for any users.
I've been trying to expose an API through azure API Management and I can't figure out what I'm doing wrong. Here's the situation:
My API is going to be called from an external application
They don't have an Azure Account in the same tenant
I want to enable external calls for my API by just using a subscription key (hence, why I'm using API Management), but also want to keep my actual API secured with Azure AD.
I have an API which is secured with Azure AD using OAuth2 and published into a Windows AppService
I have an App registration for that API, which i use to authenticate (it works from postman, for example)
app registration
I have Managed Identities turned on and permissions set.
I have added the API in API management
I added the authentication-managed-identity inbound rule, used the API Id Uri of the app registration as the resource value for it.
Api Management Config
When testing an endpoint from the APIM interface, I can successfully get a bearer token, but I get a 500 exception from the API which says: Neither scope or roles claim was found in the bearer token
bearer response
Here is the decoded bearer token, it doesn't have a scp attribute
bearer decoded
I'm not sure where I can specify a scope. If I use the full scope uri (api://guid/access.api.management) it will fail when trying to get a bearer token (The resource principal named api://guid/access.api.management was not found in the tenant).
I've even tried adding the Owner role to the APIM Identity for the AppService.
Maybe I'm not using this correctly, I'm pretty new at using Azure cloud and API Management so any suggestions are welcome.
Thanks.
You have expose an api protected by Azure, and currently you have an api application. Next, you need to create another application that represents the client, and then add the client application to the api application.
Next, go to the client application.
Under 'API permissions' click on 'Add permission', then click on the 'My APIs' tab.
Find your api application and select the appropriate scope.
Click 'Add permissions'.
Grant admin consent for your APIs.
Next, you need to use the auth code flow to obtain an access token,which requires you to log in to the user and obtain the authorization code, and then use the authorization code to redeem the access token.
1.Request an authorization code in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client app client id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=api://{api app client id}/{scope name}
&state=12345
2.Redeem token.
Parse the token:
I managed to get it working using the client credentials flow and storing the client secret in key vault.
I am building a bot which will be calling Azure DevOps to update the work item (scope required - vso.work_write Update Work item ). For this I want to have the user authenticate itself using OAuth. Following Authentication doc I created the bot channel registration followed by identity provider and then registering the identity provider in my bot. Now when I go to my identity provider under API permission -> Add a permission -> Azure Devops all I see is a "user_impersonation" permission whereas my requirement is to add a vso.work_write permission to modify ado work items.
How can I add a vso.work_write permission to my identity provider so that my bot picks up the required scope while building the token ? Or is there any method to manually enter the scope in the bot code ?
Note :- I tried giving "user_impersonation" scope and generating the token with that scope but I still get a 401.
Edit 1 :-
I am able to generate a jwt token but using that token I am not able to hit ado endpoint that's why I am suspecting it to be a scope issue only.
You could try the following steps:
You could use the URL: https://token.botframework.com/.auth/web/redirect to create an App registration.
Grant the user_impersonation to the APP and generate the secret.
Go to Bot service -> Settings -> OAuth Connection Settings -> Add Setting
Select the Azure Active Directory and input the info.
Scopes: openid, email, profile, and offline_access. You could select openid
Based on your description, the vso.work_write scope exists in the Outh Token and PAT (Personal Access token).
You can also refer to the doc to generate the Azure Devops outh token and use it in the Bot Service settings.
Here is a ticket with the similar issue, you could refer to it.
I am new to Microsoft Graph API. I have read many articles on the web to understand the usage of Microosft Garph API for managing users in Azure AD. I am creating a Springboot based REST API service, which needs to create users in Azure AD.
I have registered my application in Azure Active Directory. I have also 'Directory.ReadWrite.All" permission for Microsoft Graph API. I wanted to first try to create the user from Microsoft Garph explorer. In the Graph Explorer, I have to give authorization token in the Request header. In order to create authorization token, I have followed the instruction given in the link https://learn.microsoft.com/en-us/graph/auth-v2-user. I have created the following URL based on the instruction, for obtaining Access token.
https://login.microsoftonline.com/{mytenantID}/oauth2/v2.0/authorize?client_id=validclientID&response_type=code&redirect_uri=https://localhost:4200&response_mode=query&scope=Directory.ReadWrite.All&state=12345
When the above URL is accessed from the web browser, I get a message which says "Need Admin Approval". I am not the admin of the Azure AD and I do not have access to the admin of my client, so I am really stuck. Can anybody help me understand whether I will have to get admin consent each time I need to access "create user" functionality of Azure AD through MS Graph API? . I would also also need the create user functionaltiy in the Springboot API. In this case, how would Admin Consent work?. Is there anyway that the create user functionality can work without Admin consent.
I have read the following two questions in SO before posting this question
How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?
Create user using Microsoft Graph
if you just want to create a user in your tenant , you can follow the steps below :
Create a new Azure AD app in your tenant, ask your tenant admin to grant "Directory.ReadWrite.All" permission to this app :
Create a app secret for your Azure AD app :
Use this secret and this Azure AD app ID to get access_token to call Microsoft Graph API :
Request URL :
POST https://login.microsoftonline.com/<-your tenant name->/oauth2/v2.0/token
Request Header :
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type:client_credentials
client_id:your client Id
client_secret: Your application secret
scope=https://graph.microsoft.com/.default
You will get an access_token from this API calling.
See the screen shot below:
3. Using the access_token we just created to call Microsoft Graph API to create a user :
As you can see , a user has been created :
If you have any further concerns , pls feel free to let me know : )
I'm trying to access the signed in user's Profile Photo in the context of an email app which uses EWS to connect to Office 365.
The app is registered on portal.azure.com with the following required permissions:
Office 365 Exchange Online -> Access mailboxes as the signed-in user via Exchange Web Services
Windows Azure Active Directory -> Sign in and read user profile
The EWS part works just fine, I'm able to sign the user in, get the access and refresh tokens, and perform EWS operations using "Authorization: Bearer access_token".
The part I'm having trouble with is getting the user's profile photo.
This is the docs I'm going by:
https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations
The API endpoint I'm trying to use is:
GET https://outlook.office.com/api/v2.0/me/photo
... with "Authorization: Bearer access_token" header.
The above API returns this response:
HTTP 403
{"error":{"code":"ErrorAccessDenied","message":"Access is denied.
Check credentials and try again."}}
What could be wrong?
According to the above docs, getting user's photo should be possible using the user.read scope.
The "Sign in and read user profile" permission I mentioned above has a tooltip saying "User.Read", so I believe that's the right scope
I've tried decoding my access token at jwt.io, it has: "scp": "full_access_as_user" - where is my User.Read scope, or does "full access" include "user.read"?
Any ideas?
This is because that you tried use v2 endpoint Rest API but you didn't register the Application with v2 endpoint.
User Photo API is only available on Azure AD v2 authentication endpoint, Not Azure AD and Oauth:
You need to go to Microsoft Application Registration Portal to register your Application. For more details , you can refer to this document.
Just for the record:
Since we were not able to use OAUTH2 APIs for this -
since and our app uses EWS (Exchange Web Services) already...
We just ended up using the GetUserPhoto command with the user's (account's) own email address.
Works fine.