Azure AD Graph API - Change token Scope to User.ReadBasic.All

0
votes

How do you request the User.ReadBasic.All scope on a access token for the Azure Graph API? I'm trying by making a request to

https://login.microsoftonline.com/[tenant]/oauth2/token

passing over the following parameters

  • client_id (from application in Azure)
  • grant_type=password
  • resource=https://graph.windows.net
  • client_secret (from application in Azure)
  • username (username for authorized account)
  • password (password for authorized account)
  • scope=user.readbasic.all

However, the token I get back shows the Scope as "User.Read" which only allows me to read the profile of the user who's username/password I provide in the request. I need to be able to read the basic profile of ANY user with this token.

When I log in with my account to the Graph Explorer, I can read any user profile I want. What are they sending that I am not?

What am I missing here????

1
azure-active-directoryazure-ad-graph-api

1 Answers

2
votes

You are mixing up the V1 and V2 endpoint. In the V2 endpoint, we support a querystring of scope which allows you to dynamically determine the scopes you want in your access token at the time of the token request.

However, for the V1 endpoint, you must configure ahead of time the permissions you require to the APIs you are trying to call.

You need to go to your application's configuration, and select the appropriate permission for the AAD Graph API. Here is a screenshot of this from the Azure Portal.