2
votes

I'm working on an application that, in this point, will retrieve the Office Groups that the logged in user is included and perform actions based on that info.

I'm using oAuth2.0 and the v2.0 token endpoint to get access without a user, and with the code below, I can provide administrator consent to the permissions (which were applied to the application permissions on the new Application Registration Portal https://apps.dev.microsoft.com/ and appear on the Enterprise Applications section on Azure), request the token to Azure and receive it, but even with the permissions applied and that token, I get a 403 response code (Insufficient privileges) from the Graph API to any request I try to perform.

The code for those actions is the following:

        // Request Admin Consent
        HttpRequestMessage adminConsentRequest = new HttpRequestMessage(HttpMethod.Get, "https://login.microsoftonline.com/" + TenantId + "/adminconsent?client_id="+ClientId+"&redirect_uri=https%3A%2F%2Flocalhost%3A44369%2FHome%2F");
        var adminConsentResponse = await client.SendAsync(adminConsentRequest);

        // Request Token
        HttpRequestMessage tokenRequest = new HttpRequestMessage(HttpMethod.Post, "https://login.microsoftonline.com/"+TenantId+"/oauth2/v2.0/token") { Content = new FormUrlEncodedContent(tokenRequestPairs) };
        var tokenResponse = await client.SendAsync(tokenRequest);
        string tokenResponseBody = await tokenResponse.Content.ReadAsStringAsync();
        var deserializedTokenResponse = (JObject)JsonConvert.DeserializeObject(tokenResponseBody);
        string accessToken = deserializedTokenResponse["access_token"].Value<string>();

        // Call Microsoft Graph API
        HttpRequestMessage graphRequest = new HttpRequestMessage(HttpMethod.Get, "https://graph.microsoft.com/v1.0/me/memberOf");
        graphRequest.Headers.Add("Authorization", "Bearer "+accessToken);
        var graphResponse = await client.SendAsync(graphRequest);
        string graphResponseBody = await graphResponse.Content.ReadAsStringAsync();
        var deserializedGraphResponse = (JObject)JsonConvert.DeserializeObject(graphResponseBody);

Enterprise Application permissions on Azure

APP Registration Portal permissions

Can someone guide to any kind of mistake I'm making? With the authorization token and the permissions applied, I can't see why would I get an AccessDenied response.

It's been more than 48 hours since I applied the permissions, so it's not a sync problem.


Update: So thanks to @juunas I managed to reapply the permissions and the token now shows all the permissions applied on the Application Portal (User.Read.All, Directory.Read.All and Group.Read.All), but the API still returns 403 status code (Authorization_RequestDenied).

I've tried another endpoint without the /me just to make sure that is not a reference problem, but it also returns 403 status code.

One thing that is funny is that the App was registered on the new app portal as I said, and it appears on Enterprise Applications on Azure, but not on my App Registrations, so I can only alter permissions on the new App Portal. It should be like this, since I'm using a new registration portal?

2
Have you checked the access token at for example jwt.ms ? In order to be valid, it should contain a roles claim with the necessary app permissions.juunas
Just tried, the roles claim contains Group.Read.All permission only (but it is the only one I need, so it should not be a problem)Gabriel Retcheski
In tokenRequestPairs, do you have resource = "https://graph.microsoft.com"?juunas
Thanks! I'll check on that, if I find something out I'll post a response here! :)Gabriel Retcheski
Hey @juunas , it worked after reapplying the permissions through your blog post! Can you post your comment as an anwser so I can mark it as approved?Gabriel Retcheski

2 Answers

0
votes

Okay, so a few minutes after the update on the original post, the token was accepted by the endpoints.

The only problem is that the graph API does not recognize the ID of the user logged in to use the /me endpoints, but I bypassed that using the /{group-id}/members endpoint (in my case, it's not how I wanted but solves my problem).

Thanks @juunas for the help!

0
votes

After a discussion in the comments, the problem was fixed by re-consenting the permissions similarly as shown in my blog post: https://joonasw.net/view/the-grant-requires-admin-permission (though it is written for v1).

To run admin consent again, you need to add prompt=admin_consent to the authorize URL.