Reputation: 2236
Logging in users through Azure AD
I have a website which allows admin users to connect to their Office 365 account. From this I can read the calendars of all users and also get a user list. This all works fine.
The user rights that I ask are:
Sign users in
Read calendars in all mailboxes
Read directory data
Read all users' full profiles
Sign in and read user profile
Enable sign-on and read users' profiles
Read directory data
And these are the scopes: ["openid", "Calendars.Read", "User.Read", "User.Read.All", "offline_access"]
Getting all the users works fine with this call: https://graph.microsoft.com/v1.0/users
However now I want to enhance the features so users are logged in automatically. So all I need is a call to get the current profile of the user so I can match the ID with the ID's in the application... I found this call and tried executing it: https://graph.microsoft.com/v1.0/me
But I'm getting back this:
784: unexpected token at '{ "error": { "code": "Request_ResourceNotFound", "message": "Resource 'a6787ee0-4ba1-421f-a19c-beadf693b9eb' does not exist or one of its queried reference-property objects are not present.", "innerError": { "request-id": "c767c4ee-0912-4744-a7e4-59a8a23626fe", "date": "2016-10-22T01:26:54" } } }'
What am I missing here?
Just to make sure, can somebody confirm that what I plan to do is possible:
- Have the admin user authenticate and give access (see rights above)
- Sync the users so they exist in my webapp as well (and I have their ID's)
- When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
Upvotes: 0
Views: 169
Answers (1)
Reputation: 14649
From the error message, it seems you were using the app-only token which acquire using client credential flow to call the Microsoft Graph. There is no user context info in the app-only token. So it is not support to call this REST using this kind of token.
And based on the description, you were authenticating the users with OpenId connect protocol. To get the user info, we can retrieve these information from the id_token. And if you were developing ASP.Net web application, you also can get there information from ClaimsPrincipal class easily.
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
The app is protected by Azure AD. So if you mean that the users already signed in to MS with Azure AD account, yes your app could detect this and sign-in the users.
Upvotes: 1
Related Questions
- Server side login for Active Directory B2C
- Login users with Azure AD
- Fetching user information from Azure AD
- Authenticate Azure AD user using graph api
- Microsoft graph and Azure Ad user authentication
- Azure Active directory Sharepoint & Graph API
- Azure Active Directory Graph Api - Users
- Azure AD authentication to call Office 365 and Graph API REST
- Authenticate imported Azure AD user using Graph API
- Azure ADAL Integrated Security