Reputation: 1661
OAuth2 flow for obtaining token for microsoft graph access
I am trying to call Microsoft Graph using a JWT bearer token to call https://graph.microsoft.com/v1.0/me
At first, I was using the Azure OAuth v1 endpoint but the JWT it returned did not have the correct audience so it wouldn't let me call Microsoft Graph. Now, using the v2 endpoint but I'm getting an error:
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'xxxxx' named 'MyAppName'. Send an interactive authorization request for this user and resource. Trace ID: xxxxx-xxxxx-xxxxxxx-xxxxxxxx Correlation ID: xxxxx-xxxxx-xxxxxxx-xxxxxxxx Timestamp: 2019-08-23 18:06:39Z"
I have set up the correct API permissions for my registered Application in AAD as best I can tell.
I'm stuck here and can't even try to test with the JWT that gets returned from v2.
Any ideas here? All the google hits tell me I need to set up my API permissions which you can see in the screenshot, I've done.
Here is the URL I'm first going to obtain my code:
https://login.microsoftonline.com/xxxx-tentantidxxxx/oauth2/v2.0/authorize?client_id=xxxx-clientid-xxx&response_type=code&scope=https://graph.windows.net/directory.read.all%20https://graph.windows.net/user.read&redirect_uri=https://MyCoolsite.neat.com
Upvotes: 1
Views: 921
Answers (2)
Reputation: 33132
You're not conflating the legacy Azure AD Graph API (graph.windows.net) with Microsoft Graph (graph.microsoft.com). These are two different API with their own endpoints and permission scopes.
You'll want to use Microsoft Graph for this which means you'll need to request Microsoft Graph Scopes. In this case the only scope you need it User.Read Using Directory.Read.All would require Admin Consent which adds some unnecessary complexity you don't need at this point.
The URL you're using can also be simplified (you don't need to specify the tenant):
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
For your query params, you'll want
?client_id={clientId}&response_type=code&scope=User.Read&redirect_uri=https://redirect.url
If you want to use the scopes specified in your registration rather than requesting them dynamically, you can drop User.Read and use https://graph.microsoft.com/.default instead.
If you'd rather use the v1 endpoint, simply drop scope altogether and replace it with the resource (audience) you want to talk to. In your case, this is resource=https://graph.microsoft.com.
Keep in mind that you do need to URL Encode the values you're passing in:
?client_id={clientId}&response_type=code&scope=User.Read&redirect_uri=https%3A%2F%2Fredirect.url%0A
Upvotes: 2
Reputation: 151
From what I see you have to use application permission as your current setup requires interactive session. Here are guidance how to setup application permission
https://github.com/ivfranji/GraphManagedApi/wiki/Registering-Microsoft-Graph-App
Upvotes: 0
Related Questions
- Microsoft Graph Authentication
- Obtaining a valid access token for Microsoft Graph API
- Not able to get access_token for Microsoft Graph API OAuth 2.0 using username & password
- Getting Me using Azure OAuth 2 Token
- Microsoft Graph API - Client Credentials Grant Flow
- Microsoft graph and Azure Ad user authentication
- Using tokens from microsoft graph with sharepoint rest api
- Azure AD authentication to call Office 365 and Graph API REST
- Getting the access token for Microsoft Graph API
- Azure AD OAuth2 Access Token Request Error - 400 Bad Request