Here's a screenshot of the API call in Postman. I'm getting the token and using it here.
I'm getting 401 Unauthoized with no response. Is it because of the permissions within the app registration?
I've the following permissions for Power BI Service and Windows Azure Active Directory:
But when I click on grant permissions I get the error:
So, does the admin need to grant permission for this app (Web app / API) for it to work?
UPDATE
This is the API I call to get the access token.
https://login.microsoftonline.com/parkercorp.onmicrosoft.com/oauth2/token
POST BODY:
client_id: app_registration_clientId
client_secret: app_registration_client_secret
grant_type: client_credentials
resource: https://analysis.windows.net/powerbi/api
scope: openid
This is the decoded token as suggested by Tom Sun.
So, does the admin need to grant permission for this app (Web app / API) for it to work?
The root reason for granting permission failed is that you need admin consent that your admin can do it.
As you want to access the powerBI resource, so just need to check PowerBI service premission.
But cccording to your screenshot, you are trying to call Get Dashboard API.
GET https://api.powerbi.com/v1.0/myorg/dashboards/{dashboardKey}
Based on the document, required scope is Dashboard.ReadWrite.All or Dashboard.Read.All. It is no need to require admin consent.
401 error means that no permission to access the resource.
We could use the JWT.io to to decode the token to check the aud and permissions.
If possible, you could add the code how to get the token that will be more helpful.
When you have a permission checked that says "Requires Admin", then yes, you need an admin to click Grant Permissions. However, I don't think the two you have selected in your screenshot above are necessary for what you're trying to do. Try unchecking them, granting permissions, and running the request again.
Related
I'm having a bit of a difficult time trying to figure out what I'm doing wrong. I've registered an application with Azure portal and I keep getting a 403 error after the Oauth2 is completed and when I request the user data when hitting https://graph.microsoft.com/v1.0/me
Full error:
Client error: `GET https://graph.microsoft.com/v1.0/me` resulted in a `403 Forbidden` response:
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-11-29T21:40:18","request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451","client-request-id":"cc4628ee-4ab4-4eec-8766-9e3290ba4451"}}}
I'm using the PHP SDK to do this, and I had it working with another app but with this new app I can't seem to do it.
This is the API Permissions I have available for the Application:
There are so many permissions, i'm not sure why I'm getting 403? I don't see what scope I'm missing? On the PHP SDK side, I've included all the scopes as in the image.
I tried to reproduce the same in my environment.
Here I used client credential flow to get the token
I tried to query the graph /me end point , it requires delegated authentication .
Calling the https://graph.microsoft.com/me endpoint needs a signed-in user and so a delegated permission.
So even if the delegated permission is given , if client credentials flow is used as grant_typy , there will be 403 forbidden error.
I tried the same with authorization code flow and could sign in user and get details successfully.
Another criteria ,I tried the same for users endpoint
https://graph.microsoft.com/v1.0/users
Required permissions:
Here the admin consent is not granted for the User.Read.All application permission
Make sure the application permissions required for your query are granted admin consent directly through portal or during authentication of user account with which the query is made.
Then the request can be queried successfully.
Reference: Get a user - Microsoft Graph v1.0 | Microsoft Learn
I need to secure my ML endpoints in azure based on user credentials and user accesses.
Right now, we are authorising based on service principal account but now we want to test for each user.
I can see the documentation for REST API to get the access_token to make Rest API requests to ARM (azure resource manager) for a service principal account but not for any azure user.
So any pointers on whether this can be achieved or not?
so, basically what I am trying to do is this :
when a user tries to access the endpoint, its his credentials which needs to be validated whether he can access the API or not,
so what I see it that any number of users can be added to a workspace but not all user might have access to the scoring endpoint request.
in that case, only allowed user should be able to make the request and other users should be denied.
To generate access token based on user credentials, you can make use of ROPC flow.
While calling API with that token, validation will be done depending on Azure user's roles or permissions.
I tried to reproduce the same in my environment and got below results:
I created one Azure AD application and granted consent to API permissions like below:
I got the access token successfully via Postman using user credentials with parameters like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:44xxxx450-xxxx-4be1-axxb-e7xxxxxxxx
grant_type:password
scope:https://management.azure.com/.default
username:sricontri#tenant.onmicrosoft.com
password:xxxxxxxxx
Response:
Using the above access token, user can make Rest API requests to Azure Resource Manager successfully like below:
//To fetch list of resource groups present in the subscription
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups?api-version=2021-04-01
Response:
Please note that, the above user has Contributor role on the subscription that allowed user to make the request.
Now, I generated token for different Azure user via Postman in the same way as below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:44xxxx450-xxxx-4be1-axxb-e7xxxxxxxx
grant_type:password
scope:https://management.azure.com/.default
username:sridemo#tenant.onmicrosoft.com
password:xxxxxxxxx
Response:
When the user included above token to make the same request, access is denied with 403 Forbidden error like below:
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups?api-version=2021-04-01
Response:
Please note that, the above user doesn't have required roles or permissions to access Azure resources that denied the request.
I am trying to create online meeting to get the join URL from Microsoft Team Meeting using Postman,but I am getting Forbidden (403) error even after I had provided Application (With Admin Consent) and delegation permission to "OnlineMeetings.Read.All", "OnlineMeetings.Read", "OnlineMeetings.ReadWrite.All", "OnlineMeetings.ReadWrite".
PS: I'm using acess token that I generated in Postman and this the same token I can create events to Outlook using Microsoft Graph
Some pictures about the issue:
Azure Application permission
Postman Token Generate that I'm using
The Issue - 403
A Event that I created with the same token (Outlook)
Could Somebody help me?
The permission required for creating online meeting is OnlineMeetings.ReadWrite Delegated permission based on Permissions.
I can see that you have added this permission into your Azure AD app from your first screenshot. But you didn't do the consent for it. In this case the permission won't be included in your access token. You can decode your token in https://jwt.io to verify it.
So please click on "Grant admin consent for {your tenant}" to do the consent.
I had the same problem until a fellow user reminded me of an important note. According to Microsoft, you have to use the Skype for Business PowerShell to create a policy for your AppId and then grant that policy per specific user on behalf of which you will want to book an Online Meeting.
Documentation for creating and granting the policy
Referenced SO question
So basically I need to access the contacts of an office 365 user.
I use the Microsoft graph API and I successfully can get all the contacts via an HTTP GET in a JSON. But now I'm trying to write a JSON to the https://graph.microsoft.com/v1.0/me/contacts API with an HTTP POST, but I get a 403 - Permission Denied every time. So I went to https://jwt.io/ and checked my access token and saw that I don't have the permissions to write in the contacts.
I get those permissions:
"scp": "Contacts.Read openid profile User.Read"
Even though I only set Contacts.ReadWrite in the App Registration settings on the Azure portal.
Permissions
I've tried updating the permissions but that didn't help.
If you have changed the permissions, users need to consent again.
You can force user consent through a url request, append &prompt=consent to the authentication request URL.
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={your_client_id}
&response_type=code
&response_mode=query
&resource=https://graph.microsoft.com
&state=12345
&prompt=consent
Or you just grant consent on behalf of all users in this directory. Granting admin consent for all users means that end users will not be shown a consent screen when using the application.
We've migrated to a new tenant where I work. As such we are trying to re-add our applications into Azure AD. We have a documented process that has worked in the past in order to add applications for our MVC and WebAPI projects. However, we've been getting errors when attempting to query the Graph API. In the example application we've used the code from here to create a custom authorize attribute that allows us to group based authentication. After debugging the /Utilities/GraphHelper.cs we've determined that the application is getting a Status Error of 403 with a message that states: "Insufficient privileges to complete the operation."
After doing a bit of research I was able to replicate the Authentication process in Fiddler.
Action Method: POST
URL: https://login.windows.net/[tennantName]/oauth2/token?api-version=1.0
Header Block:
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Content-Length: 180
Expect: 100-continue
Connection: Keep-Alive
RequestBody:
grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=[clientId]&client_secret=[urlencoded client secret]
I get back a token from this request and then attempt to query the federated directory from the graphapi again with fiddler:
Action Method: GET
URL: https://graph.windows.net/[federated domain]/directoryObjects/{group-guid}
Header Block:
Content-Type: application/json
Host: graph.windows.net
Authorization: Bearer [token from login response]
I receive and 403 response with the body:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
In Azure Active Directory, Under App Registrations for this application the manifest has been modified by a user with Company Admin Role for:
"groupMembershipClaims": "SecurityGroup", ...
"oauth2AllowImplicitFlow": true,
An Application Key was generated that is used for fetching a token to access the graph API.
Under Required Permissions for Application Permissions Read directory data, and Read all hidden memberships were checked by a user with Company Admin Role.
I'm out of ideas everything should be working.
I called MSFT support for Azure, apparently there is an issue with portal.azure.com assigning permissions. I was able to resolve this by going to the classic portal and getting the permissions reassigned.
Access that a client app has to the AAD Graph API is dependent on the permissions you have registered on your application.
Note that there is a section in the app registration process called "permissions to other applications" where you will need to specify the Graph API as a resource you want to call, and you must specify with what level of permissions you need to call that API.
Read more here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/
On your web client application’s configuration page in the Azure classic portal, set the permissions your application requires by using the drop-down menus in the Permissions to other applications control.
You can read more about the various scopes/permissions that the Graph API exposes here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Selecting these permissions are the first step, but it is not quite enough to actually get your app the right access it needs. The step you are missing is consent. Every application needs some level of user consent in order to access their tenant's data via the Graph API. Even if your application is doing App Only Flows (acting as a Daemon Service using the Client Credential Flow), you will still need the initial permissions to be consented to by the admin of the tenant where you want to get access to the data. This means the first time you want to use the application, you will have to trigger an interactive login experience. This process may happen 'automagically' when you use the "management.windowsazure.com" portal if you are an Admin configuring the app, since they automatically consent to the app on your behalf, however in all other scenarios you will have to follow the normal process of obtaining user consent yourself.
Once you have correctly configured your app with the right permission scopes, and have obtained consent, you should see in your access tokens 'scopes' or 'role' claims which represent the permissions your application is authorized for.
Using this knowledge, I hope you will be able to resolve the issue you are facing.