Microsoft Graph API with Azure User Provisioning

Question

What I want to do is quite simple: provision Office 365 and Azure Account from my Web App. And I want it to be available not only for me but for all the IT Departments (from other organizations too) that logs in my App.

From my understanding the steps I have to take are:

• Register App on apps.dev.microsoft.com and get ID And Secret.
• Enable the Scopes I'm interested in (in my case Directory.ReadWrite.All and User.ReadWrite.All) -- Enabled from both Delegated Permissions and Application Permissions

• Gone through the LOGIN PROCESS

  https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[My Client]&response_type=code&redirect_uri=[My Account]/Account/Office&response_mode=query&scope=openid%20User.Read%20offline_access%20Directory.ReadWrite.All

• Confirm the code I receive back on my Return URL

POST https://login.microsoftonline.com/common/oauth2/v2.0/token?...secret and so on...

Now what I get is an object with Access Token, Renew Token and so on and so forth.

If I use it to get users, it's all working:

https://graph.microsoft.com/v1.0/users

But when I try to perform other operations the token seems invalid.

For instance:

• Get Azure subscriptions (the account is admin of several subscription):

https://management.core.windows.net/subscriptions ==> UNAUTHORIZED

What I'm doing wrong? Is the IDEA behind it correct?

I really need to be done at a "global" level without config manual steps on every subscription or putting in some "TenantID" manually.

Answer 1

You've requested a token with scoped for the Microsoft Graph API which is why you can use API endpoints surfaced by https://graph.microsoft.com/.

The call to https://management.core.windows.net/subscriptions is not part of Microsoft Graph API so you're token isn't valid for that resource. That call is into the Service Management REST API. Authenticating for this API is documented here.