Microsoft graph and Azure Ad user authentication

Question

I have an application registered in Azure ad.

When i do ADAL with the following details i get a authoriazation token to use with microsoft graph api.

    `username      = '[email protected]'
    password      = 'password123'
    client_id     = application id from azure ad
    client_secret = keys from application on azure ad
    tenant        = directory id from azure ad`

Using this token i can fetch the list of all sites in my sharepoint account.

Below is the endpoint i call to fetch the sites with the bearer token: https://graph.microsoft.com/v1.0/sites?search=*

But when I just do the client authentication using token generated using below endpoint Iam not able to access the sites list. login.microsoftonline.com/tenant_id/oauth2/v2.0/token

    `grant_type : client_credentials
    clientid : client_id
    clientsecrte : client_secret
    scope : https://graph.microsoft.com`

It does not return all of the sites.

Is there a way of getting all sites list with just client authentication.

Or can i get a token for user authentication without user password.

Here is the token decoded that i am using: { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/", "iat": 1528949458, "nbf": 1528949458, "exp": 1528953358, "aio": "Y2dgYLh*************xAAA=", "app_displayname": "App Name", "appid": "504ddb16-2899-48be-be57-**********", "appidacr": "1", "idp": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/", "oid": "afcf166f-24c2-49f1-b285-b672d0413c50", "roles": [ "Sites.Read.All", "Sites.ReadWrite.All", "Sites.Manage.All", "Sites.FullControl.All", ], "sub": "afcf166f-24c2-49f1-b285-b672d0413c50", "tid": "586145ec-0428-4da6-8061-fb114257ab70", "uti": "hwYd8FZCH0KruWGRFiIHAA", "ver": "1.0" }

I get other permissions also but these are site related in Microsoft Graph api

Could you post the error massage you got ? The successful one is using ROPC flow and it can get the delegated permissions onbehlaf of the user. But the failed one is using client_credentials flow which get the application permissions and cannot onbehlf of the user. — Wayne Yang

Wayne Yang Wayne Yang · Accepted Answer · 2018-06-06T02:56:05

Cause:

The successful one is using ROPC flow and it can get delegated permissions onbehlaf of the user. But the failed one is using client_credentials flow which get application permissions and cannot onbehlf of the user.

Updated Answer

Solution:(Before you do this test, ensure you have SPO license in your tenant)

Try to add Sites.Read.All Application permission in your registrated AAD Application and do admin consent for it before you getting token.
If you're using AAD v1 endpoint, you can do admin consent by clicking Grant permissions button.If you're using v2 endpoint, please input this kind of URL in your internet browser to do admin grant:

https://login.microsoftonline.com/{yourtenant}/adminconsent?client_id={the applicationid of your client}&state=123&redirect_uri={the redirect uri of your app}

and sign in with Global admin account and accept this permission.

In my test lab, I used v2 endpoint.Here is the token I got via Postman:

Here is decoded token in https://jwt.ms , we can decoded the token to ensure it has the permissions we want.

Then I use this token in the head to call Microsoft Graph API and succeeded:

For more detials about Site permission for Microsoft Graph, please refer to this documentation.

Please let me know if this helps!

Microsoft graph and Azure Ad user authentication

1 Answers