Problem
When generating an access token for Microsoft Graph API via ADAL, Graph API does not accept the token.
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
What the application does
The application should read all users of a tenant. The application is configured to have User.Read.All privileges. The application consent is granted by the tenant, where the users should be read from - the application does appear with the privileges in Azure Portal.
What I have so far
The application worked a few days ago and I changed nothing. Other applications using the same way to authenticate work.
Recreating to AAD application did not help
Reinstalling the NuGet packages did not help
Changing the authority from login.windows.net to login.microsoftonline.com did not help
Token generation does not work with client secrets and not with a certificate
Decoding the generated JWT token shows the permissions required for the action
Solution
It seems, that the documentation from microsoft is not correct. Listing users requires the Directory.Read permission.
Update
According to Microsoft it is not clear, if this is a bug in Graph API or the documentation is wrong.
An issue is open at Github here.
Update 2
This issue was fixed in an update of the Graph API in May 2017.
Related
Attempting to create an online meeting via Postman following instructions here and here.
I have signed up for a free developer account at Microsoft Azure Portal. I have successfully created an additional user. I have successfully registered a test application:
I have created Bearer tokens with scope User.Read.All, OnlineMeetings.ReadWrite, Calendars.ReadWrite using both the TenantID ( login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/authorize ) and the organizations path ( login.microsoftonline.com/organizations/oauth2/v2.0/authorize ) patterns,
, and have verified the API permissions in Azure.
I have set up my Microsoft Graph environment for Postman (I believe) correctly, setting ClientID, ClientSecret, TenantID, UserPassword, and UserName.
I have been able to connect via Postman and query both users (Get Users) and my user profile (Get My Profile), and have successfully received responses for both.
I believe I have configured my POST headers correctly.
I am posting the following JSON content:
{
"startDateTime": "2021-01-22T14:30:34.2444915-05:00",
"endDateTime": "2021-01-22T15:00:34.2464912-05:00",
"subject": "User Token Meeting"
}
The problem here is that regardless of Token used (either the generated {{UserAccessToken}} when using {{TenantID}} or copy/pasting the token from the ../organizations/.. pattern), and whether I post to https://graph.microsoft.com/v1.0/me/onlineMeetings or https://graph.microsoft.com/beta/me/onlineMeetings, I am receiving a 403 Forbidden Status response.
I'm honestly not sure if this is due to something I have done wrong or if there is a problem with Azure "free" developer accounts not having the rights to create meetings.
Does anybody have a solution for this? Or a link to instructions on creating a Teams meeting via Postman that works?
Thanks.
I can reproduce your issue with an Azure AD Free tenant, I suppose you also use that.
And it works in an Azure AD Premium P2 tenant.
Looks the issue should be related to the Azure AD Pricing tier(maybe related to the Microsoft Teams License more specific, not an expert about that, not say much here), so to solve this issue, you could upgrade your Azure AD License, if you have not used the Free trial before, you could navigate to the Azure Active Directory -> Licenses, active the Premium P2 to have a try.
Must LOG INTO TEAMS AT LEAST ONCE before creating meetings via API.
Please refer to #Joy Wang's answer regarding Licenses, as I believe that was also necessary.
Once I set my licenses correctly I still could not get it to work until after I logged into Teams using the test Developer credentials. I had never logged in before, just went directly to API work. After I did the initial login the API calls from Postman began to return a 201 - Created response.
So, I am trying to utilize Graph API with Azure AD B2C. My understanding is that it's not possible to use the client_credentials flow when requesting access tokens. When I try to utilize an access token with client_credentials to get /beta/policies/b2cAuthenticationMethods I receive this error:
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": {
"correlationId": "4c00031f-febc-4c1a-9728-701f0c1fda00",
"date": "2021-01-19T18:51:42",
"request-id": "77a30adb-5103-40ec-84f3-0626800e976a",
"client-request-id": "77a30adb-5103-40ec-84f3-0626800e976a"
}
}
}
Which is expected since I used the client_credentials flow.
But, the documentation states the following:
Although the OAuth 2.0 client credentials grant flow is not currently
directly supported by the Azure AD B2C authentication service, you can
set up client credential flow using Azure AD and the Microsoft
identity platform /token endpoint for an application in your Azure AD
B2C tenant. An Azure AD B2C tenant shares some functionality with
Azure AD enterprise tenants.
I have gone through the process linked above. However, I am running into one issue and now have questions about this "automated" process:
Question: How do I complete this automated process for requesting and utilizing access tokens with a registered app in B2C if I cannot use the client_credentials flow?
I cannot have any user interaction when this application requests an access token.
Do I have to use a different flow? If so, how do I do it so that things like MFA aren't an issue? I am not using any SDKs, I am just directly querying MGraph using an HttpClient in my application with the Authorization Bearer header passed.
Issue
Why am I not able to complete this part of the above linked documentation.
I am logged in as a global admin for my B2C tenant. I navigate to the Roles and Administrators section
Then, in the Add Assignments popup that appears on the left I start typing the name of my app
and it does not appear! But it is registered, and I can see it in my list of registered applications:
What is the deal here?
I have found many other questions similar, and all have led me to the referenced documentation page. But, I still am not quite understanding the correct procedure to automatically get an access token for a registered app in B2C tenants.
Thanks so much.
Edit
See my answer for both solutions to the problems I had in this post.
Okay, so I managed to find the answer to my issue here.
Just out of curiosity, I made that ServicePrincipal for my application a Global admin. I used the client_crededentials flow again to the beta/policies/b2cAuthenticationMethodsPolicy and STILL received that above error about User Authorization: Access is dened. What the heck? I'm starting to wonder if it's that specific endpoint that's the issue, and not the flow itself. Especially because I can get /beta/users just fine when using the access token from client_credentials flow for my B2C tenant.
Alright, I have found my answers.
To my issue:
I found the answer on this thread https://learn.microsoft.com/en-us/answers/questions/229991/azure-ad-b2c-application-won39t-show-up-as-an-opti.html.
To my question:
I opened an issue on the MSFT Docs GitHub page, and someone was able to answer my question there.
Good day
I follow this https://learn.microsoft.com/en-us/graph/use-postman part of Set up application API calls.
I'm able to get users via API: https://graph.microsoft.com/v1.0/users
but not able to get messages via API: https://graph.microsoft.com/v1.0/users/{ {UserId}}/messages, it show me error below.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2020-06-28T06:16:03",
"request-id": "c0c3d9d5-9fa5-47a0-8b81-df85663ba297"
}
}
}
API Permission granted as below, could anyone advise how to fix above error?
API Permission in Azure
Postman Request for get Token
Thanks for sharing the request-id,timestamp(date) and postman Snapshot. Your application is an multitenant application and needs an additional step to get the permissions approved(admin consent). Here are the steps:
In the azure portal(portal.azure.com) navigate to the enterprise application.
Change the application type filter to "All application" and search for your application.
Click on the application name and click on the permission menu.
Click on grant admin consent for tenant (refer screen shot below).
After the above step, you will be able to get token with all the approved permissions.
Personal Account
Your application is preauthorized to read the messages (email) for the users within your tenant. Yours personal account (Microsoft Account) emails are stored your tenant context or any azure ad tenant context. To read personal account emails, application need to call /me/message graph API with delegated permission.
I have an API hosted on the cloud and a daemon app client in the same organization and on the same network but on my local machine. I have double and triple checked the setup but still not able to connect them with each other.
So to look at the problem I divided them into two sub-problems.
Connecting Daemon App to Azure AD retrieving the token and then accessing Microsoft Graph using the token.
Error post retrieval of token.
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2646f5f8-9c25-482d-a89f-f14ca6c06cf7",
"date": "2019-07-22T01:13:30"
}
}
I used this Azure Document and Sample to produce the error above.
Accessing the API using the daemon app - So I never reached to because I never was able to pass step 1.
Any thoughts on how can I get to fix this. Am I am missing something simple?
Azure AD Graph API is different from Microsoft Graph API. So there are two ways to make it work.
1.Use Microsoft Graph API.
You should grant the application microsoft graph api permission.
2.Use Azure AD Graph API.
You need to update the code as below.
a.Change the scope to https://graph.windows.net/.default.
b.Change the api to GET https://graph.windows.net/myorganization/users?api-version=1.6
Note:
We strongly recommend that you use Microsoft Graph instead of Azure AD
Graph API to access Azure Active Directory resources.
I have setting up an Azure logic apps on my azure account that send posts for both Facebook and Twitter based on an condition many days before I had tested my logic apps successful published post but now this issue occurred I have no idea about that.
Many thanks for your help.
{
"error": {
"message": "(#200) Requires either publish_actions permission, or manage_pages and publish_pages as an admin with sufficient administrative permission",
"type": "OAuthException",
"code": 200,
"fbtrace_id": "GHv4s/FqX8U"
}
}
It is probably more a problem of the user's permissions with which you establish the connection in the LogicApp. check if that profile with which you have established the connection with Facebook has the necessary permissions to perform the actions described in the error.
This has to do with user permissions in AAD (Azure Active Directory).
Go to the logic app's
Access control (IAM) -> View my access
In my case I see the following
but perhaps you have read-only rights. Once you can modify the logic app, you should have sufficient administrative permissions.
Try to log out of both Azure / Facebook and re-enter the credentials.