0
votes

I have created the app in apps.dev.microsoft.com . I am using https://login.microsoftonline.com/common/oauth2/v2.0/authorize for authorization code and https://login.microsoftonline.com/common/oauth2/v2.0/token for access and refresh tokens. I am getting the access token successfully but when I am trying to read the signed in user's profile data it gives me the error :

Array (
    [error] => Array
        (
            [code] => Authorization_RequestDenied
            [message] => Insufficient privileges to complete the operation.
            [innerError] => Array
                (
                    [request-id] => 02269b14-2cf9-458e-b9d6-2aec1a23cee3
                    [date] => 2017-02-23T16:30:44
                )

        )

)

When I use the original Id with which the app was created then this error doesn't show up . But when I use any other id outside my tenancy this error shows up. Can anyone suggest any workaround for this?

1

1 Answers

1
votes

Based on the preview post, you were using the request like below to acquire the token:

GET:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={clientId}&scope=openid%20profile&redirect_uri={redirectURL}

In this request, you were using the scope(openid,profile) which wouldn't return the access_token for using the Microsoft Graph REST. The profile scope only return the user info in the id_token instead of grant the permission to you to access the user info via Microsoft Graph REST.

If you want to use the Microsoft Graph REST, we need to add the scope like https://graph.microsoft.com/user.Read(more scope about read user info please refer here). And here is a sample request for your reference to enable to access the user's profile via https://graph.microsoft.com/v1.0/me:

GET:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={clientId}&scope=https://graph.microsoft.com/user.Read%20openid%20profile&redirect_uri={redirectURL}

And please note the access_token is different with id_token. We should perform the request for the resource(Microsoft Graph) using the access_token. The id_token is only used to validate the identity of user for the client. More about the concept of client and resource you can refer here.

Please let me know if it helps.