I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
- I created an app in https://apps.dev.microsoft.com/
- I set
User.Read.All
in Application Permissions andUser.Read
in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/
as resource and User.Read
as scope) and get a correct response from https://graph.microsoft.com/v1.0/me
.
- Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me
even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from
https://login.microsoftonline.com/common/oauth2/token
withclient_credentials
as aresponse_type
Receive the token!
Do a GET request to
https://graph.microsoft.com/v1.0/users
and receive:{ "error": { "code": "Authorization_IdentityNotFound", "message": "The identity of the calling application could not be established.", "innerError": { "request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750", "date": "2017-03-22T19:19:48" } } }
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me
returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview). If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan, I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/
is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All
as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope
I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}