1
votes

I Followed the Active Directory .NET WebAPI onBehalfOf sample.

In the web api created another endpoint to access Intune app protection policy from url
https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies, in azure provided permission to app to access Graph API.

In the call to AquireTokenAsync changed the resource Id to https://graph.microsoft.com/.

This returned the JWT token that contained:

"aud": "https://graph.microsoft.com/",
"scp": "DeviceManagementApps.ReadWrite.All User.Read",

However fetching the endpoint

https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies 

Returns an HTTP response of 401 Unauthorized.

What is missing?

1

1 Answers

0
votes

This generally implies one or both of the following issues:

  • You need to obtain Admin Consent. The DeviceManagementApps.ReadWrite.All scope requires that an Admin consent to the permissions before a normal user can can authorize the scope.

  • You're app's registration doesn't have the correct scopes defined in Azure. Make sure your registration is selection scopes for Microsoft Graph and not Azure AD Graph API. These are two distinct APIs and the differences are greater than simply the resource URI.

Also note that the Client Credentials grant (aka Application scope) isn't supported by the Intune APIs. You can only call these endpoints using Delegated permissions (Authorization Code or Implicit grants).