Graph API Office 365 usage report - Forbidden

0
votes

I try to use Office 365 usage reports in Graph API. I would like for example export the EmailActivity report with the request GET /reports/EmailActivity(view=view-value, period=period-value, date=date-value)/content

When I try the example https://graph.microsoft.com/beta/reports/EmailActivity(view='Detail',period='D7')/content in Graph Explorer I have the following error

Failure - Status Code 403705msLooks like you may not have the permissions for this call. Please modify your permissions.

{
    "error": {
        "code": "Forbidden",
        "message": "Invalid scope claims/roles.",
        "innerError": {
            "request-id": "f1f89dcf-b2df-4537-a4ad-f07ccfff2899",
            "date": "2017-07-05T17:01:23"
        }
    }
}

I don't uderstand because I looging like an admin of Office 365 I have add almost all the permision. What I had miss ?

Edit : More details, I use Graph Explorer, when I click to grant access enter image description here

I have th confirmation

enter image description here

I've the admin right

enter image description here

I try my request in graph explorer

enter image description here

And I have my error

enter image description here

I don't know what I could do be better.

2
azure-active-directorymicrosoft-graph-apioffice365api
Could you provide the scopes you're requesting?Marc LaFleur
Where I could found m scope in graph explorer request ?Mary

2 Answers

1
votes

According to Get EmailActivity report document , read that report needs Reports.Read.All permission . And according to Reports permissions of microsoft graph api, Reports.Read.All is application permissionwhich allows an app to read all service usage reports without a signed-in user. To call that api , you need to use client credential flow to acquire token with app identity :

  1. Add Read all usage reports application permission of microsoft graph in your azure ad application : enter image description here

  2. Grant that application permission by clicking Grant Permissions button in above screenshot with admin account of your AAD .

  3. Using client credential flow to acquire access token for microsoft graph :

    POST https://login.microsoftonline.com/chencl.onmicrosoft.com/oauth2/token

grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&resource=https%3A%2F%2Fgraph.microsoft.com%2F

    After you get the access token , you could decode the token using online tool, you should find Reports.Read.All in roles claim .

  4. Then you could call the EmailActivity api , it returns 302 Found response redirecting to a pre-authenticated download URL for the report:enter image description here

Please let me know if it helps.

0
votes

If you are using Application Registration Portal to get the token:

  1. In Application Registration Portal set the permission that you need, for example Mail.Read and Directory.AccessAsUser.All. Always you need use Directory.AccessAsUser.All if you want get the token
    1. When save Application Registration Portal go to Azure Portal, in Azure Active Directory --> Enterprise applications --> click in you application --> "click in consent permission for username..." --> login --> accept.
    2. Use library as hellojs and get a token.