I have set up an Azure AD application that I want to use with my web application. I have obtained an oAuth token using the following steps:
First I requested my authorization code:
https://login.windows.net/common/oauth2/authorize?redirect_uri={REDIRECT_URI}&client_id={CLIENT_ID}&response_type=code&state=o365&prompt=admin_consent
This takes the user to the login.windows.net page where they must accept permissions that my application is going to use on their AD.
After that I get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:
{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}
Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error
curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
I have tried the actual domain for the {tenant}, the "me" alias and the "myorganization" alias and they all don't work. The "me" alias returns an error saying the 'users' resource doesn't exist. I am confused on what the problem is here