Graph API Client token authentication issue

Question

My website is using the GraphClient Library (http://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient) to query Azure AD. Its using its own credentials and authorization token to access graph.windows.net and this works fine.

I'm trying to change it so that when users log into my website and authenitcate using their own Microsoft tenant account, my website then queries the graph.windows.net using that users token and not its (the webserver) own.

I'm using OWIN middleware, OpenID against Microsoft for authentication and finally the GraphClient to query AzureAD.

Right now my process is in OWIN Notifications => AuthorizationCodeReceived I do a AcquireTokenByAuthorizationCode() to retrieve the users AccessToken, then I try connect to the GraphClient like so..

new ActiveDirectoryClient(
  new Uri(graphResourceID + '/' + tenantID),
  async () => userAccessToken
)

The GraphClient always returns a response saying 'insufficient privileges' to all the calls I checked. But if I create a simple HTTPClient request to the graph.windows.net REST API and inject the "Bearer" authoriaztion header with userAccessToken from above then the Graph API gives me a valid response.

Why is the GraphClient library returning 'insufficient privileges' when a simple HTTPClient request works fine?

Answer 1

Connecting to your Azure Active Directory, you should be able to configure the permissions for your application :