Microsoft Graph schemaExtensions Authorization_RequestDenied

1
votes

I'm trying to use Microsoft Graph from my app via REST API graph.microsoft.com/beta/schemaExtensions

Here is what I did:

  1. Register app at https://apps.dev.microsoft.com

  2. Checked for all Delegated and Application authorizations

  3. Got access token without a user based on OAuth Client Credentials Grant flow

  4. Asked for Admin Consent with access token retrieved from point 3. and it was successful using https://login.microsoftonline.com/tenant/adminconsent?client_id=xxx&state=12345&redirect_uri=http://localhost:8081

  5. POST to /beta/schemaExtensions with access token retrieved from point 3. and I have this error:

Authorization_RequestDenied - Insufficient privileges to complete the operation

So here are my questions, hoping someone could help me:

  1. How do I check if delegate authorization is ok after Admin Consent request?
  2. Which privileges are missing to use schemaExtensions?

My app should work without a user, it's the preferred approach.

2
microsoft-graph-api

2 Answers

1
votes

Couple of things here.

Extensions is GA and available on the /v1.0 version. Please use that instead of /beta.

We don't support schema extension registration using application permissions. It requires the Directory.AccessAsUser.All permission today (we're also investigating if there's another less privileged permission we can use here) per the create schema extensions topic.

Registering a schema extension can be a separate process from your application actually using the extension to create custom data on target object instances.

As such we are making a change (should be available shortly) to allow you to register and manage schema extensions for your app using Graph Explorer. There is also a user voice request to have a UI experience in app registration for schema registration/management. Please vote for this if it's important to you.

I'll update this post once Graph Explorer supports registering and managing schema extensions.

Hope this helps,

0
votes

To answer the follow up question, the calling user should have read/write access to add custom data to another user. However, you can use open extensions to add custom data using /me/extensions to calling user (as long as the app has user.readwrite or higher permissions).