Reputation: 41
Why is this "AccessDenied" while Communicating with Microsoft Graph API?
I cant access endpoints in Microsoft graph.
I will be uploading a file to a users one drive when I have the communication set up but for now I am just trying to get a list of items in a drive.
This is the response I get from https://graph.microsoft.com/v1.0/drives/{{drive_id}}/root/children
{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"request-id": "123",
"date": "2020-01-09T11:43:20"
}
}
}
I retrieved the drive_id by using graph explorer on endpoint https://graph.microsoft.com/v1.0/me/ on the signed in user.
It should be noted that I can use this endpoint https://graph.microsoft.com/v1.0/subscriptions So I must be doing something right with the access token.
I followed this tutorial to get the access token using the client credential flow.
and this is the code I use to get the access token
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-
form-urlencoded"));
var req = new HttpRequestMessage(HttpMethod.Post, $"https://login.microsoftonline.com/<tenant>/oauth2/token");
req.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"grant_type", "client_credentials"},
{"client_id", "123"},
{"client_secret", "123"},
{"resource", "https://graph.microsoft.com"}
});
When I decode the JWT I do not see any scopes in the token but if I understand correctly header should get the scopes that have been permitted by admin.
An admin has already granted my app these permissions for graph explorer: (Although I do not have the delegate permissions, does that matter?)
Filse.Read,
Files.ReadWriteAll,
Sites.ReadWtiteAll,
User.Read
I am using this collection in postman to test.
Thanks in advance any advice is appreciated.
Upvotes: 1
Views: 1535
Answers (1)
Reputation: 405
From Marc LaFleurs' answer :
The first thing to understand is that you cannot receive both Application and Delegated permissions in the same token, it is an either/or scenario. Which type you receive depends entirely on which OAuth Grant you used to request the token:
Authorization Code and Implicit return Delegated tokens with an scp property Client Credentials return Application tokens with a roles property The second thing is that you've requested scopes to two different APIs. Based on what you've selected, you won't have access to SharePoint through the Microsoft Graph because you've only requested access to the legacy SharePoint API. More importantly, you've only requested the Delegated User.Read scope for Graph so when you use Client Credentials to obtain the token, that token won't have any permissions.
In order to obtain an Application token for reading SharePoint sites, you'll need Sites.Read.All Microsoft Graph Application permission selected.
Upvotes: 2
Related Questions
- Microsoft Graph "Access is denied. Check credentials and try again" in C#
- Microsoft Graph API - Insufficient privileges to complete the operation
- Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation
- Obtaining access to Graph API without user interaction
- MS Graph Access Forbidden
- MS Graph Api call drops "The token contains no permissions, or permissions can not be understood."
- C# Graph API - Setting IsRead - Access Denied
- Issues Accessing Microsoft Graph API Data
- Microsoft Graph explorer API gives unexpected error 403
- Graph API denies access even though I granted access