2
votes

I have a problem (or two) with regards to accessing my office 365 account via the Microsoft Graph API.

The first issue is that I have a java program that is attempting to list all users in the office 365 subscription. I am calling https://graph.microsoft.com/v1.0/users/ but getting a 403 forbidden back.

On the App registration, I have added permissions including User.Read, User.ReadBasic.All, User.ReadWrite on both delegated and app permissions.

I have also tried to use the Graph Explorer, but when I enter to use my account it still uses the built in graph user and doesn't show my application login info. Not sure if these are related.

Here is code snippet that results in a 403

AuthenticationResult result = getAccessTokenFromUserCredentials(RESOURCE_GRAPH, ID, PASSWORD);

URL url = new URL("https://graph.microsoft.com/v1.0/users/")   ;

HttpURLConnection conn = (HttpURLConnection) url.openConnection();

conn.setRequestMethod("GET");
conn.setRequestProperty("Accept", "application/json");
conn.setRequestProperty("Authorization", "Bearer "+result.getAccessToken());
if (conn.getResponseCode() != 200) {
    throw new RuntimeException("Failed : HTTP error code : "
            + conn.getResponseCode());
}

And here is the method that gets the token

private static AuthenticationResult getAccessTokenFromUserCredentials(String resource,
                                                                          String username, String password) throws Exception {
        AuthenticationContext context;
        AuthenticationResult result = null;
        ExecutorService service = null;
        try {
            service = Executors.newFixedThreadPool(1);
            context = new AuthenticationContext(AUTHORITY, false, service);
            Future<AuthenticationResult> future = context.acquireToken(
                    resource, CLIENT_ID, username, password,
                    null);
            result = future.get();
        } finally {
            service.shutdown();
        }

        if (result == null) {
            throw new ServiceUnavailableException(
                    "authentication result was null");
        }
        return result;
    }
2
How are you authenticating the user to get the token you're passing into /users?Marc LaFleur
Updated with code example. If I call graph.microsoft.com/v1.0/me, I get back the json string representing my user. But if I call with /users/ I get the 403. I can also access the sharepoint end point ok and get site data etc.Gary
User.ReadBasic.All need admin consent,have you tried to do admin consent ? where do you register the app , in azure portal ?Nan Yu
Its register on apps.dev.microsoft.com and it then also shows up as an application under my user in azure portal as well. Although, when I look in azure it lists it as default access. But when I list the permissions it informs me that I have Read Users both User Consent and Admin Consent. The app states it's access is User Consent. Where can I change this ?Gary

2 Answers

1
votes

The app register in apps.dev.microsoft.com works with the v2.0 endpoint .Please click here for more details about the v2.0 endpoint .

You can acquiring token using v2.0 authentication protocols and Azure Active Directory v2.0 authentication libraries . During authentication , you need to do user consent or admin consent for User.ReadBasic.All permission . After consenting , access token includes that delegate permission and will work when calling list users operation .

1
votes

OK, thought I should post up the answer. Firstly, and most confusingly, the apps.dev.microsoft.com registration didn't seem to work (even though I was using the V2.0 endpoint and the version 2 libraries).

However, when I registered the app using the azure portal directly, this fixed the issue. I have subsequently been able to access the service correctly.

It seems strange that, although the authentication / authorisation service was standard for my app and worked perfectly for accessing Sharepoint / One Drive etc, but, when wanting to hit the users endpoint, it would only work if it was registered in the portal.azure.com.

Many thanks everyone for your help.