Reputation: 303
Where can I find APP ID URI for Microsoft App?
I am trying to log in as my registered app, with the permissions granted on: Azure Portal > App registrations > App registrations (Preview) > My App Name - API permissions
According to this documentation, I have to pass my resource identifier (APP ID URI) in the scope parameter when requesting a token. I am certain that this scope parameter is the one causing me problems.
I have tried different parameters of the scope.
https://graph.microsoft.com/.default: This works for basic functions, like reading the calendar but I believe that the default permissions are very little for my needs. Since this works, I believe my other parameters are correct, and the scope is the problem.[APP-ID]/.default: This gives me a successful response, however, whenever I try to make any request, including the basic read calendar request, I getInvalidAuthenticationToken. I can assure you that I am passing the correct token retrieved from the token request.Multiple different URL combinations based on online suggestions. All of them return
"The resource principal {resource-url} was not found in tenant {id}.
I strongly believe the problem is that I am not passing the correct APP ID URI for my application. Can anyone tell me where I can find this resource? Everything I have searched online is 2+ years old and does not seem to be the same for the new Azure portal.
Upvotes: 13
Views: 32769
Answers (1)
Reputation: 33114
For Client Credentials (i.e. getting a token without a user), you need to pass https://graph.microsoft.com/.default as your scope.
The permissions https://graph.microsoft.com/.default provides are the "Application permissions" you specified when registering the application in the portal:
Once you've added all the "Application permissions" you need for your application, you need to "Grant consent" for those scopes in your tenant (this is the button at the bottom of the API permissions tab.
Once you have these in place, you need issue a POST to the /token endpoint (line-breaks are just for readability, this should be a single string):
POST https://login.microsoftonline.com/{{tenantDomain}}/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id={your-app-id}
&scope=https://graph.microsoft.com/.default
&client_secret={your-client-secret}
&grant_type=client_credentials
This will return you something like this:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1554431330",
"not_before": "1554427430",
"resource": "00000003-0000-0000-c000-000000000000",
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZS..."
}
When you call into Graph you need to set the Authorization header to token_type access_token. So calling /users would look like this:
GET https://graph.microsoft.com/v1.0/users
Authorization:"Bearer eyJ0eXAiOiJKV1QiLCJub25jZS..."
Host:"graph.microsoft.com"
Accept:"application/json"
Upvotes: 5
Related Questions
- How can I use Microsoft Graph API to get Application by appId
- How to use Graph (or another MS API) to retrieve an Azure Enterprise App Object ID
- Get SharePoint App details using Graph REST API
- How to add Azure AD Application using application identifier
- How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?
- How to Find AppId of Schema Extention App in Azure AD
- Accessing Microsoft Graph API : Resource app ID: 00000002-0000-0000-c000-000000000000
- Finding Azure AD Schema Extension AppId in Microsoft Graph
- How to get AppKey using Microsoft Graph API
- Accessing the Azure Graph API using Application Identity