Reputation: 1
Azure Logic App Giving Incorrect O365 Graph Auth Token
Within our azure logic app we are looking to pull down O365 groups from Microsoft Graph but are getting a 'Forbidden' error when trying to pull the groups. The token in the logic app run is not attached to the service account which has all the permissions. When recreating this locally with the same uri on POSTMAN I am able to get a valid token which shows all of the correct permissions and I am prompted to log in to the service account or else I cannot get a token at all. I do not know why the http request in the logic app is giving an incorrect token when the POSTMAN call will. It displays the token in azure logic app result as a sanitized version.
We were expecting to receive an auth token that when decoded showed all of our proper permissions but this can only be recreated in POSTMAN not in azure logic app.
Upvotes: 0
Views: 137
Answers (1)
Reputation: 6474
I was able to reproduce the issue and got the result successfully-
Here I am trying to get the User details using Microsoft Graph API as per MS Docs and URL is https://graph.microsoft.com/v1.0/me. Because to get the group details from Graph API, I need to have the privileges to grant admin level consent while adding API permissions in my Azure AD account.
Add the Group.Read.All permission in your Azure AD application to access the Groups and it needs Admin consent.
As I don't have permission to grant the consent, so I am trying to get the User details by adding user.read permission which doesn't require Admin consent.
My workflow looks like below-
In When a HTTP request request is received trigger, I am taking the below schema.
{
"properties": {
"client_id": {
"type": "string"
},
"client_secret": {
"type": "string"
},
"tenant_id": {
"type": "string"
}
},
"type": "object"
}
I have added the HTTP action to get the Bearer token.
Then added Data Operation - Parse JSON action, using the following schema
{
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "string"
},
"expires_on": {
"type": "string"
},
"ext_expires_in": {
"type": "string"
},
"not_before": {
"type": "string"
},
"resource": {
"type": "string"
},
"token_type": {
"type": "string"
}
},
"type": "object"
}
Added Initialize variable action and also Set Variable action.
At last Added HTTP action to pull the user details from Graph API
After triggering the logic app, I am getting the user details-
Check the Output in the Run History-
Upvotes: 0
Related Questions
- Azure Logic App HTTP Request Authentication Scope
- Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token
- Azure App Registration Not giving New Refresh Token or Scope because of Permission Error
- Token Request for Azure AD Secured Logic App Throwing CORS Error
- Refreshing OAuth token using Retrofit without modifying all calls
- Why doesn't my Azure Active Directory auth token contain permissions for MS Graph?
- Can't set hideFromAddressLists in Logic Apps call to Graph API
- Azure Logic App throwing 302 Redirect Error
- Logic App - O365 connector - Multi-Factor Authentication