New Microsoft Graph API - App-only access

Question

I want to check the calendars from several users. Therefore, I need app-only access (because the app needs more rights than the logged in user).

With the "old" API this was possible by following these instructions: https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365

With the new Microsoft Graph API this doesn't seem to work. Is there a way to make this work? I want to use the Microsoft Graph API for all the Office 365 API functions which I need in the app.

Thanks in advance!

(Edit: Including error message.)

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. Trace ID: 718db531-d789-4b45-ae9d-c2e53f3786fd Correlation ID: 6a157ae5-7dc3-4470-81c0-f410e14f9c04 Timestamp: 2015-11-27 12:40:33Z ---> System.Net.WebException: Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert. bei System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

I gave full delegated and full application persmissions. Here is the token which I get:

{"token_type":"Bearer","expires_in":"3599","scope":"Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read Directory.Read.All Directory.ReadWrite.All Directory.Write Files.Read Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected full_access_as_user Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite Sites.Read.All Tasks.ReadWrite User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All user_impersonation","expires_on":"1448974661","not_before":"1448970761","resource":"https://graph.microsoft.com/","pwd_exp":"582983","pwd_url":"https://portal.microsoftonline.com/ChangePassword.aspx","access_token":"eyJ---------zQXg","refresh_token":"AAABAA--------pYSAA","id_token":"eyJ0eXAi-------4wIn0."}

I don't have the rights to read other calendar than my.

Edit: I can't get the App-Token...heres my code (App-Token worked before when I was not using the new graph api)

        string authority = appConfig["AuthorizationUri"].Replace("common", appConfig["ida:TenantId"]);
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
        string certfile = appConfig["o365_CertPath"];

        X509Certificate2 cert = new X509Certificate2(certfile, // password for the cert file containing private key 
                                                    appConfig["o365_CertPassword"],
                                                    X509KeyStorageFlags.MachineKeySet);

        ClientAssertionCertificate cac = new ClientAssertionCertificate(appConfig["ida:ClientId"], cert);

        AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync("https://outlook.office365.com", cac);
        this.currentAccessToken = authenticationResult.AccessToken;

I tried different endpoints by AcquireTokenAsync. I always get the errormessage:

{"AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature.\r\nTrace ID: 6fe2a6bd-77d3-47a8-83d4-e10aea69b88a\r\nCorrelation ID: 53071578-1c16-4c17-8f77-fc5821c18d4b\r\nTimestamp: 2015-12-02 08:05:25Z"}

Thanks again

Answer 1

I had a similar issue. I was using Create-SelfSignedCertificate.ps1 from the PnP site. I switched to using Makecert and everything worked. Basically followed Richards exact instructions here http://blogs.msdn.com/b/richard_dizeregas_blog/archive/2015/05/03/performing-app-only-operations-on-sharepoint-online-through-azure-ad.aspx