Azure AD authentication to call Office 365 and Graph API REST

1
votes

I've created a sample MVC app using VS 2015 and used Azure AD Auth wizard. When I launch this web application, it asked me to register app with Azure AD (first time only) and then userid/password. I have entered Office 365/Azure AD account and successfully logged in. Everything is working perfectly fine and at the top right, I can see Hello "myname".

Now I tried to make REST call to Office 365 using RestSharp. It is giving me 403 error (access denied).

When I tried to use graph api url https://graph.windows.net/testname.com/groups?api-version=1.6, I am getting error unauthorized access.

Here is my test code with graph API call: 

 string url = "https://graph.windows.net/testname.com/groups?api-version=1.6";
            var client = new RestClient(url);
            client.ClearHandlers();
            var jsonDeserializer = new JsonDeserializer();
            client.AddHandler("application/json", jsonDeserializer);
            var request = new RestRequest(Method.GET);
            var queryResult = client.Execute(request);

I am using same code with O365 REST url for Office 365 call.

Why I am getting access denied in both cases if my app is already authenticated against Azure AD which is the base authentication. Also Request.IsAuthenticated is always true.

Isn't a single identity provider (AAD) used for Azure, Office 365 and related resources?

1
azureazure-active-directoryazure-ad-graph-api

1 Answers

1
votes

It's possible your app isn't configured to call the /groups endpoint of graph. While the end user is authenticated and you have gotten tokens for the Azure AD Graph (graph.windows.net), this access token needs to have a certain set of permissions to call the endpoints.

To configure these graph permissions, you can go to the Azure Portal, select Azure Active Directory, then App Registrations, and finally Required Permissions. The resource your calling is Windows Azure Active Directory and then you can look through the list of scopes for what you want to call.

Another great resource I'll recommend is the Azure AD Graph Explorer. This can help understand the type of data the graph can provide.

Edit: Checkout comments for answer. OP had used the OpenID Connect middleware (OWIN) and needed help getting an access token for a resource. In order to do this, you must use a combination of OWIN + ADAL. OWIN gets an auth code, and ADAL can exchange this auth code for an access token.