msGraph API from msAccess VBA - Planner plans credentials issue

Question

I am very new to MS Graph and Office 365 and have made good progress. I am an O365 Global Admin for my organisation (a school) and have app development experience. There is a lot of scope for using MS-Access databases in our context for "globally" managing the O365 content. eg contacts, distribution lists and planner tasks. We want to manage these from an on-premises ms-access database or two and with an admin person authenticating the ms-graph activity, ideally.

So, to test, I created a new db and have managed to get it to consume the following endpoint using VBA but with no user authentication for now.

https://graph.microsoft.com/v1.0/groups

However, when I try

https://graph.microsoft.com/v1.0/planner/plans/with my plan id here

I get 401 - Unauthorized: Access is denied due to invalid credentials.

So, clearly my Application registration is wrong or my authentication or both! I have spent hours searching for examples and help and because of the evolving nature of the ecosystem I am finding it pretty hard to work out what I should do now (as opposed to a year or two ago).

The authorisation that generates the access_token that works to allow me access to the groups is:

POST 
https://login.microsoftonline.com/{my tenant id here}/oauth2/token

grant_type=client_credentials
client_id={my client id}
client_secret={my url encoded secret}  resource=https://graph.microsoft.com

but using that same access_token for the planner tasks throws the 401 error.

My app permissions look like this: I presume this is because of the difference between the Application and Delegated types but have not fully grasped it all yet. And, I suspect I am using the wrong authentication flow anyway. :-(

So, my questions are: 1. Do my permissions look right? 2. Is my authentication flow correct? Should I be using these instead? ie have I been working from old information?

https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/authorize 
https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/token

As you can tell I have become somewhat confused. If anyone can point me in the right overall direction given what I am attempting that would be so helpful.

Thanks so much, Murray

Answer 1

1. Do my permissions look right?

Yeah undoubtedly, your azure portal permission seems alright. You need dedicated permission for that also need to grant admin consent which you have done perfectly shown on screen shot.

2. Is my authentication flow correct?

As you are using Client Credentials Grant Flow request format seems alright. But I doubt this flow is suitable for the API you are trying to call. because this API requires dedicated permission.

3. Should I be using these instead?

Since this API need dedicated permission you could use authorization code grant flow.

Follow below steps to get your token using Authorization Code grant flow

Get Authorization Code:

https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id={ClientId}&response_type=code&redirect_uri={redirectURI}&response_mode=query&scope=https://graph.microsoft.com/.default

Request Token oauth2/V2.0/token with your code:

Request URL: https://login.microsoftonline.com/common/oauth2/V2.0/token Or https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/V2.0/token

Method: POST

Request Body Format

client_id:Your_Clinet_Id
scope:https://graph.microsoft.com/.default
redirect_uri:Your_Portal_Redirect_URI
grant_type:authorization_code
client_secret:Your_Client_Secret
code: Paste Code Here

Decode Token:

You could decode your token on https://jwt.io/ and make sure you have required permission on your azure portal.

4. Have I been working from old information?

No, Information has no issue so far I have gone through.

Note: For for details implementation of Authorization Code grant flow you could take a look official docs