New Microsoft Graph API - App-only access

2
votes

I want to check the calendars from several users. Therefore, I need app-only access (because the app needs more rights than the logged in user).

With the "old" API this was possible by following these instructions: https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365

With the new Microsoft Graph API this doesn't seem to work. Is there a way to make this work? I want to use the Microsoft Graph API for all the Office 365 API functions which I need in the app.

Thanks in advance!

(Edit: Including error message.)

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. Trace ID: 718db531-d789-4b45-ae9d-c2e53f3786fd Correlation ID: 6a157ae5-7dc3-4470-81c0-f410e14f9c04 Timestamp: 2015-11-27 12:40:33Z ---> System.Net.WebException: Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert. bei System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

I gave full delegated and full application persmissions. Here is the token which I get:

{"token_type":"Bearer","expires_in":"3599","scope":"Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read Directory.Read.All Directory.ReadWrite.All Directory.Write Files.Read Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All Files.ReadWrite.AppFolder Files.ReadWrite.Selected full_access_as_user Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite Sites.Read.All Tasks.ReadWrite User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All user_impersonation","expires_on":"1448974661","not_before":"1448970761","resource":"https://graph.microsoft.com/","pwd_exp":"582983","pwd_url":"https://portal.microsoftonline.com/ChangePassword.aspx","access_token":"eyJ---------zQXg","refresh_token":"AAABAA--------pYSAA","id_token":"eyJ0eXAi-------4wIn0."}

I don't have the rights to read other calendar than my.

Edit: I can't get the App-Token...heres my code (App-Token worked before when I was not using the new graph api)

        string authority = appConfig["AuthorizationUri"].Replace("common", appConfig["ida:TenantId"]);
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
        string certfile = appConfig["o365_CertPath"];

        X509Certificate2 cert = new X509Certificate2(certfile, // password for the cert file containing private key 
                                                    appConfig["o365_CertPassword"],
                                                    X509KeyStorageFlags.MachineKeySet);

        ClientAssertionCertificate cac = new ClientAssertionCertificate(appConfig["ida:ClientId"], cert);

        AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync("https://outlook.office365.com", cac);
        this.currentAccessToken = authenticationResult.AccessToken;

I tried different endpoints by AcquireTokenAsync. I always get the errormessage:

{"AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature.\r\nTrace ID: 6fe2a6bd-77d3-47a8-83d4-e10aea69b88a\r\nCorrelation ID: 53071578-1c16-4c17-8f77-fc5821c18d4b\r\nTimestamp: 2015-12-02 08:05:25Z"}

Thanks again

1
office365office365-restapimicrosoft-graph-api
Which part of those instructions don't work? What error message are you getting, or what options are you missing?Philippe Signoret
Hi, I get the following response when I try to use the API with the App Only token: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. Trace ID: 718db531-d789-4b45-ae9d-c2e53f3786fd Correlation ID: 6a157ae5-7dc3-4470-81c0-f410e14f9c04 Timestamp: 2015-11-27 12:40:33Z ---> System.Net.WebException: Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert. bei System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)AJRames
And you're sure you set the public certificate in the app manifest matching the private key used to sign the client assertion?Philippe Signoret
I'm sure yes. Because it worked before...Is the problem maybe the fact that I'm using the clientlibraries? ....Theres another interessting issue. I've granted ALL permissions for the users (to read any calendar in the directory) but by executing this REST command "graph.microsoft.com/v1.0/users/xxx@xxxx.onmicrosoft.com/events" I get the 403 error. Am I doing something wrong?AJRames
Trying to understand this response. So you have an existing application that already makes use of various client libraries (.Net?) to call SharePoint and Outlook? Or are you extending your app to include calls to Outlook, and for this were looking at the Microsoft Graph?Dan Kershaw - MSFT

1 Answers

0
votes

I had a similar issue. I was using Create-SelfSignedCertificate.ps1 from the PnP site. I switched to using Makecert and everything worked. Basically followed Richards exact instructions here http://blogs.msdn.com/b/richard_dizeregas_blog/archive/2015/05/03/performing-app-only-operations-on-sharepoint-online-through-azure-ad.aspx