Azure ADAL library to access Microsoft graph API

1
votes

I've registered a Native app in Azure AD and given all delegate permission to access graph API.I am trying to test this solution with a console solution (exe) with following code which uses client id and secret 

  private static async void AcquireTokenAsync() {
            AuthenticationContext context = new AuthenticationContext("https://login.windows.net/xxxxxx-xxxx-485b-a40f-xxxxxxxx/oauth2/token", true);
            var result = await context.AcquireTokenAsync("https://graph.microsoft.com",
                                                      new ClientCredential("xxxxxx-32cf-xxxx-8888-555555555555",
                                                      "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxV89cWfH0w="
                                                      )
                                                      );

            HttpClient client = new HttpClient();
            client.DefaultRequestHeaders.Add("Authorization", "Bearer " + result.AccessToken);
            HttpResponseMessage response = await client.GetAsync("https://graph.microsoft.com/v1.0/users/");
            string retResp = await response.Content.ReadAsStringAsync();
            string token = result.AccessToken;
            Console.WriteLine(token + "\n" + restResp);

}

There is no problem in retrieving token.I am getting the accesstoken but with following error /response in graph api call with the token

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "cb7aaaa9-d9a0-485a-7777-b5bfe68ba771",
      "date": "2017-07-22T11:01:49"
    }
  }
}

Please suggest what is going wrong

1
azureazure-active-directorymicrosoft-graph-apiazure-ad-graph-api

1 Answers

1
votes

Please take a look at the differences between delegated and app only permissions here.

The issue you are running into is that you have requested Delegated permissions to the Graph API, but then you are acquiring an App Only Token, which requires a different kind of permission. If you take a look at your token you will see that your token is lacking the claims required to make calls to the graph.

Instead, you need to do one of the following:

  1. Get an App + User Token following the Authorization Code Grant Flow. This will result in delegated access to the Graph, and your call should work.
  2. Request App Only permissions to the Graph API. This will allow your current authentication method to gain access to the Graph API. However, all App Only permissions require an administrator to consent to the application.