Reputation: 19718
How to get email from Microsoft graph api oidc/userinfo endpoint
I have setup oauth via azure, i have received an authorization_code which i have exchanged for an access_token. I am then attempting to use that access token to get userinfo data including the email as described in the docs (https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo). However in the response it does not return to me the email.
{
"sub": "<redacted>",
"name": "John Doe",
"family_name": "John",
"given_name": "Doe",
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
}
The documentation suggests that in order for email to be returned in the response it requires the email scope. https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo#userinfo-response
However i believe i am already specifying that i want the email scope.
App Permissions
/oauth2/v2.0/token (the scope shows profile, openid, email and user.Read)
What am i missing?>
Upvotes: 2
Views: 5879
Answers (2)
Reputation: 5103
I couldn't get the AzureAD userinfo endpoint to give me the user's email, even though the scope is defined in the original /authorize request, and there's also the email API permission in the Azure portal.
What worked for me is retrieving this information from the id_token. In the request to /oauth2/v2.0/token, which is done before, not only an access token is retrieved, but also an id_token, and within it's payload is the email of the user along with more information. Even Microsoft seems to suggest doing this here, in the "Consider using an ID token instead" section: https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo#userinfo-response
Upvotes: 0
Reputation: 22607
I tried to reproduce the same in my environment and got the below results:
I created one Azure AD application and added API permissions as below:
Now I generated the access token with same scope as you like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:app_id
grant_type:authorization_code
scope:https://graph.microsoft.com/User.Read
client_secret:secret
code:code
redirect_uri:redirect_uri
Response:
I used the above token to get user info data and got response without email like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
This is because the email field in user's profile is not set. So, I updated email field by editing user's properties.
Now I generated access token again and used it to get user info data and got response with email like below:
GET https://graph.microsoft.com/oidc/userinfo
Response:
Upvotes: 5
Related Questions
- Microsoft Azure AD graph API: How do I retrieve a user's email address?
- How to access Email of an User on B2C using Graph API
- Blazor azure AD retrieve email from graph API
- MS Graph API does not return user's email address from Azure AD B2C
- Get Office 365 mail id int outlook or web for Graph API
- Retrieve email from Microsoft Graph API using Mail ID
- How to get user's information from Active Directory by email address using Microsoft Graph sdk
- Microsoft Graph API not able to use mail.read
- How to get user contact email with MS Graph api
- Unable to retrieve user email from Azure AD B2C using GraphAPI