Process to support CONTACTS via REST API

I am currently struggling to understand how I can get Microsoft Office 365 Rest API working correctly. I have built an Azure AD, Sharepoint Developer Site, Built a sample APP that can get the access token using the following: https://login.windows.net/common/oauth2/authorize -> then -> https://login.windows.net/common/oauth2/token

Which works perfectly fine and returns:

 { ["token_type"]=> string(6) "Bearer" ["expires_in"]=> string(4) "3600" ["expires_on"]=> string(10) "1420476937" ["not_before"]=> string(10) "1420473037" ["resource"]=> string(30) "https://outlook.office365.com/" ["access_token"]=> string(1276) "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cdng2OHNrVDgtbVBBQjNCc2VlQSJ9.eyJhdWQiOiJodHRwczovL291dGxvb2sub2ZmaWNlMzY1LmNvbS8iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81YjVkNjRjOC03YTgxLTQ1NzctOWEyYy04OTJjNDc1Y2UxN2EvIiwiaWF0IjoxNDIwNDczMDM3LCJuYmYiOjE0MjA0NzMwMzcsImV4cCI6MTQyMDQ3NjkzNywidmVyIjoiMS4wIiwidGlkIjoiNWI1ZDY0YzgtN2E4MS00NTc3LTlhMmMtODkyYzQ3NWNlMTdhIiwiYW1yIjpbInB3ZCJdLCJlbWFpbCI6IndhcnJlbi5kb3lsZUBzeW5ldHkuY29tIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZDJjMmY2N2EtOTdjYy00N2Q5LWIxOWItNzAyMjRhNGVjYmUyLyIsImFsdHNlY2lkIjoiNTo6MTAwM0JGRkQ4ODg0OEI3RiIsInN1YiI6Imo3QzhzODJ0aDVlQTl4UjFGS0YxeDhya0FjNjlrd0lFeFFTcm5pSzJJS2MiLCJnaXZlbl9uYW1lIjoiV2FycmVuIiwiZmFtaWx5X25hbWUiOiJEb3lsZSIsIm5hbWUiOiJXYXJyZW4gRG95bGUiLCJ1bmlxdWVfbmFtZSI6IndhcnJlbi5kb3lsZUBzeW5ldHkuY29tIiwiYXBwaWQiOiJhYzNkMWVkMS00MDdkLTQzM2YtOTk4Zi1jMzMxOGI5NmUxOTQiLCJhcHBpZGFjciI6IjEiLCJzY3AiOiJDb250YWN0cy5SZWFkIENvbnRhY3RzLldyaXRlIiwiYWNyIjoiMSJ9.g4bNE7iSjPgazeeHdgQZy-ml_YqhPKAvvM0rHGxifu6k6POeHdcpgZurgJOW3AjmoM4SYLg6R1mhqLYwBolb3CxgqQJGIZ8uyzPMhlCtlowcD6JFWYB7McIQruFwxDthSWma_4YGb6pRW4LrTvfh1pxLMnSXhiI2nPltrJUbAJX_XdcnSGm7OqDNM68G8Eb1bz0xW9vAB0yuE7O9ewEcjwlUw4pzS5lNA0Y4-q-Ps9fn0goqzBh-ktZhAQPNhf91zv3v9Py3NPdsA-OtzdcIiPPAL_unmqcDisjChXVgBmHirTsb0Tt_UC2_YFRfMo3xEnE1Md4X17Jqa95N3E1a7Q" ["refresh_token"]=> string(694) "AAABAAAAvPM1KaPlrEqdFSBzjqfTGFrnaPrXWPrZOlHimbEubuR7_30VHdDxmZ_Dk5en6iiFagl-ySjHykZl5M-33l4qAIzjK1AecNfRWt6ISotbWXE9KoYxx5TO5lCPgkF7yJppUSlNoZ2nduQnWffLNGUZql8cO_YqCcAxXKFTg2fhwNt0GfpjZnME96_4C4JptBTuFFSyIl4UmByghVD83k4H32CD4ga0WOLdZx5v0fVztYWA3QxXX1pxzf7UCrh7Xq7nviWv46KDtr2SMozW1AyPVm9OPDdtL0Qbm3DMhyvUNYyJW7N8qiscmTaBLiVOmIbHVnEY_U5_s1MMdw1NfhUY6qtsbrjeyMKG5JqTx9MDnZ1_edsfIjCj29t-aGLJtmNDLJGsCAR6PSbq2bc2GqGpQatv7RtMLk7qvw2tRcz3JQ2RSrJ2tCtYcih8R8zkgUXsNvyoTSe-PdnI9eihJ-oT3gQwc_xm-6eVV_xcVdZyp3Fvp10weh5OG0LU4Lstfhe0J8MFGS5A28I_moSnF6eYSW5EVWDKjQXe5wOkifXUcW2o7A6EyAtVnombDYYiG3zd2BsovEyMm798GWNTBFZZ5szh2hpMDMtzHJy-vVYyGjVk_g7w9FzflWxfGGshIfT6lKZw8G1C9YKoE37z7z-ywj7-RC4siZr-1sqRAdii37ogAA" ["scope"]=> string(28) "Contacts.Read Contacts.Write" ["id_token"]=> string(820) "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiJhYzNkMWVkMS00MDdkLTQzM2YtOTk4Zi1jMzMxOGI5NmUxOTQiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81YjVkNjRjOC03YTgxLTQ1NzctOWEyYy04OTJjNDc1Y2UxN2EvIiwiaWF0IjoxNDIwNDczMDM3LCJuYmYiOjE0MjA0NzMwMzcsImV4cCI6MTQyMDQ3NjkzNywidmVyIjoiMS4wIiwidGlkIjoiNWI1ZDY0YzgtN2E4MS00NTc3LTlhMmMtODkyYzQ3NWNlMTdhIiwiYW1yIjpbInB3ZCJdLCJlbWFpbCI6IndhcnJlbi5kb3lsZUBzeW5ldHkuY29tIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZDJjMmY2N2EtOTdjYy00N2Q5LWIxOWItNzAyMjRhNGVjYmUyLyIsInN1YiI6InZMOGlWOUxGX0U0cVg2Ty1wQUo3ZTkyODd1R1FZbUxhWWZ2cFRiX0FUZlkiLCJnaXZlbl9uYW1lIjoiV2FycmVuIiwiZmFtaWx5X25hbWUiOiJEb3lsZSIsIm5hbWUiOiJXYXJyZW4gRG95bGUiLCJ1bmlxdWVfbmFtZSI6IndhcnJlbi5kb3lsZUBzeW5ldHkuY29tIiwicHdkX2V4cCI6IjcxODQ3MDUiLCJwd2RfdXJsIjoiaHR0cHM6Ly9wb3J0YWwubWljcm9zb2Z0b25saW5lLmNvbS9DaGFuZ2VQYXNzd29yZC5hc3B4In0." ["pwd_exp"]=> string(7) "7184705" ["pwd_url"]=> string(54) "https://portal.microsoftonline.com/ChangePassword.aspx" } 

However whenever I attempt to work with the Contacts API (https://outlook.office365.com/api/v1.0/me/contacts?$orderby=displayname%20desc)

Using a valid GUID and the token from previously it returns a 401.

Here is my manifest file:

{
  "allowActAsForAllClients": null,
  "appId": "ac3d1ed1-407d-433f-998f-c3318b96e194",
  "appMetadata": {
    "version": 0,
    "data": []
  },
  "appRoles": [],
  "availableToOtherTenants": true,
  "displayName": "CONTACTS MANAGEMENT APP",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "homepage": "https://chrome.uk.cloudcall.com/oAuth/oauth2.php",
  "identifierUris": [
    "https://synetyplc.onmicrosoft.com"
  ],
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access CONTACTS MANAGEMENT APP on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access CONTACTS MANAGEMENT APP",
      "id": "f85ff53b-b153-456d-8a5d-69d9289ab9ff",
      "isEnabled": true,
      "origin": "Application",
      "type": "User",
      "userConsentDescription": "Allow the application to access CONTACTS MANAGEMENT APP on your behalf.",
      "userConsentDisplayName": "Access CONTACTS MANAGEMENT APP",
      "value": "user_impersonation"
    }
  ],
  "oauth2RequirePostResponse": false,
  "passwordCredentials": [
    {
      "customKeyIdentifier": null,
      "endDate": "2017-01-05T12:20:03.3224279Z",
      "keyId": "f6fe401c-8061-47e8-8d21-fdf48841adeb",
      "startDate": "2015-01-05T12:20:03.3224279Z",
      "value": null
    },
    {
      "customKeyIdentifier": null,
      "endDate": "2016-01-05T11:28:08.8654733Z",
      "keyId": "e8a37973-bb60-40e3-b9da-3318c8cf524d",
      "startDate": "2015-01-05T11:28:08.8654733Z",
      "value": null
    }
  ],
  "publicClient": null,
  "replyUrls": [
    "https://chrome.uk.cloudcall.com/oAuth/oauth2.php"
  ],
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
        {
          "id": "181aac24-028a-486e-a649-b3742c74ec71",
          "type": "Scope"
        }
      ]
    },
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ]
    }
  ],
  "samlMetadataUrl": null,
  "defaultPolicy": [],
  "extensionProperties": [],
  "objectType": "Application",
  "objectId": "e478cfdb-2590-41f0-8efc-adca13c6f5e4",
  "deletionTimestamp": null,
  "createdOnBehalfOf": null,
  "createdObjects": [],
  "manager": null,
  "directReports": [],
  "members": [],
  "memberOf": [],
  "owners": [],
  "ownedObjects": []
}

And here is my JWT:

{
 aud: "https://outlook.office365.com/",
 iss: "https://sts.windows.net/5b5d64c8-7a81-4577-9a2c-892c475ce17a/",
 iat: 1420469746,
 nbf: 1420469746,
 exp: 1420473646,
 ver: "1.0",
 tid: "5b5d64c8-7a81-4577-9a2c-892c475ce17a",
 amr: [
  "pwd"
 ],
 email: "[email protected]",
 idp: "https://sts.windows.net/d2c2f67a-97cc-47d9-b19b-70224a4ecbe2/",
 altsecid: "5::1003BFFD88848B7F",
 sub: "j7C8s82th5eA9xR1FKF1x8rkAc69kwIExQSrniK2IKc",
 given_name: "Warren",
 family_name: "Doyle",
 name: "Warren Doyle",
 unique_name: "[email protected]",
 appid: "ac3d1ed1-407d-433f-998f-c3318b96e194",
 appidacr: "1",
 scp: "Contacts.Read",
 acr: "1"
}

Just to confirm we are aiming to achieve the following:

User visits our websites and wishes to sync their contacts -> They click Authorize which generates the url which then takes them to login.microsoft to Authenticate our Application to access their contacts -> They then return and we then request the Access Token -> We then processs the contacts request and handle the response...

I hope this helps

Regards Warren