Microsoft Graph API beta endpoint gives 401 Unauthorized

0
votes

I am testing the Microsoft Graph beta endpoint that sends invitations to guest users to join the tenant. The endpoint I am using is : 

https://graph.microsoft.com/beta/invitations

Body:

 {
  "invitedUserEmailAddress": "[email protected]",
  "inviteRedirectUrl": "https://myDomain"
 }

I am passing the bearer token in Authorization header that I got for the local admin user through the ADAL4J api. However, this call gives me a 401 Unauthorized error. Following is the response:

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.",
    "innerError": {
      "request-id": "91f8129e-70cc-467d-a45b-9309e55788d6",
      "date": "2017-02-10T08:46:09"
    }
  }
}

Any clue on how to get this request working? On Github I have gone through other discussions(eg) where users are facing the same issue.

2
javaazuremicrosoft-graph-apiazure-ad-graph-api
Have you checked the scope claim in the access token? You can use sites like jwt.io to check them. Also, your question title talks about the Azure AD Graph, but this is the Microsoft Graph API. Don't mix them up, they are different APIs with different capabilities.juunas
@juunas I am able to get info from the access token using jwt.io but I am not sure what is the scope claim. Are you referring to permissions? I have changed the title of the question.adarsh hegde
I have given all the permissions in the app for Microsoft Graph API. I can see that in the token info too.adarsh hegde
A common mistake is to request all delegated permission, and then call using a token acquired using client_credentials (application only) flow, or vice versa It will be hard to tell without you providing a code snippet or the some more details on the token. You should be able to paste the access token directly into jwt.calebb.net to see the token and its claims.Dan Kershaw - MSFT
@DanKershaw-MSFT by claims is this ("scp:Calendars.Read Calendars.Read.Shared") what you mean?adarsh hegde

2 Answers

2
votes

The token sent was obtained with resource as "https://graph.windows.net". The expected resource/audience for Microsoft Graph API is "https://graph.microsoft.com". Update your application manifest to include Microsoft Graph as a resource and request the required permissions. Then request token with above mentioned resource/audience.

0
votes

I am excatly in the same situation as @adarsh hegde. But I am targetting an azure B2C instead. I can get the token for the windows graph (using resource "https://graph.windows.net"), and I am able to create users whithin my web app that is registered with the right permission.

What I did is to acquire token for graph.microsoft.com on the same time, but this token doesn't let me use invitations giving me the same error as you : { "error": { "code": "InvalidAuthenticationToken", "message": "Access token validation failure.", "innerError": { "request-id": "91f8129e-70cc-467d-a45b-9309e55788d6", "date": "2017-02-10T08:46:09" } } }

UPDATE: So here are the steps that I've done so far:

  1. ADB2C directroy
  2. Web app with OpenID registered in there with required permissions to manage users in the AD following this link
  3. When admin is logged in, the Web app in trusted mode is able to let him manage users (create/add/etc...)
  4. Now what I want to use is the InvitationManager part of the MS graph (graph.microosoft.com) to be able to send invitation mail. can I redeem the code received in the OpenIdConnectAuthenticationNotifications to get access token for the MS graph? knowing that I already do that but for AD graph (graph.windows.net)

Thanks for the help