Reputation: 16677
Groups overage claim
I am receiving the group overage claim for a user authenticating against Azure AD. Looks like the below:
{"src1":{"endpoint":"https://graph.windows.net/TENANTID/users/USERID/getMemberObjects"}}
My thought was I could then just call that endpoint, which I did like:
var authenticationContext =
new AuthenticationContext(
ctx.Options.Authority);
var clientCredentials =
new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);
var result =
await authenticationContext.AcquireTokenAsync("https://graph.windows.net", clientCredentials);
using (var httpClient = new HttpClient())
{
httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {result.AccessToken}");
var httpResponse =
await httpClient.GetAsync("https://graph.windows.net/TENANTID/users/USERID/getMemberObjects?api-version=1.6");
var jsonresult =
await httpResponse.Content.ReadAsStringAsync();
}
I thought this would work, but not it is complaining it wants the method to be a Post. Not sure what I would pass in for Content, but it tried it in Postman, and it still failed.
My hope is that I am just making this more difficult than it needs to be, but for the life of me, I cannot find a good definitive example for how to call the Graph API from a MVC Core App.
Any help would be much appreciated!
Update
I changed it to a Post and passed in a null body, and received an error with code Authorization_RequestDenied and value Insufficient privileges to complete the operation..
Made sure to the give the Application Directory.Read.All permissions.
Upvotes: 3
Views: 1567
Answers (2)
Reputation: 22495
For azure ad Graph your request format is not correct you could try following way
Rquest URL:
https://graph.windows.net/TenantId/users/UserId/getMemberObjects?api-version=1.6
Method Type: POST
Request Body
{
"securityEnabledOnly": false
}
Postman Sample:
Permission Required:
Permission Type: Application
Directory.Read.All Or Directory.ReadWrite.All
See the screen shot:
For details you could refer this official docs
Upvotes: 3
Reputation: 16677
Finally got to the bottom of my problem! I needed to change my request to a POST and add { "securityEnabledOnly": false } as the body - thanks @MdFaridUddinKiron for your help with this!
The one thing I was missing is granting my application admin consent.
Hopefully this helps someone else out!
Upvotes: 0
Related Questions
- Add Azure Active Directory Groups to Claims
- Authorize web api with Azure Active Directory Groups C#
- Exception getting Azure AD groups via MS Graph with ASP.NET Core
- Not able to get user group claims when using Azure AD as external login alongside Identity Core(ASP.NET Core 2.1)
- Azure AD group based login and MS graph API
- Getting 401: Unauthorized response when querying groups endpoint of Azure AD Graph API
- Microsoft graph API: getting 403 while trying to read user groups
- [Azure AD]: User Group Assign Owner
- .net core [Authorize] using ClaimsIdentity with AAD groups
- Azure Active Directory: 'Forbidden' error while fetching groupclaims using Graph API