Call Microsoft Graph API - App only unauthorized error

Question

I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/

I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.

I have registered my app in Azure AD (where I am a co-administrator).

I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.

Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem. Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.

in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.

Answer 1

You are authorized to select only delegated permissions which have personal scope

This issue is caused that the app is created by none admin and when they visit the portal then will see this message.

To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.

Update

We need the assign the Global administrator director role as figure below to make the application works for the client credential flow: