How to use Outlook REST API with 'Office 365 Deutschland'

Question

I'm using the Microsoft Office 365 REST API to read calendar items from Office 365 and Outlook.com accounts. It work's well.

Now, I need to read the same from Office 365 Deutschland accounts. That doesn't work.

I already found out the following:

Use another endpoint for login

International: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Deutschland: https://login.microsoftonline.de/common/oauth2/authorize

Use another endpoint for the REST API

International: https://outlook.office.com/api/v2.0/me/calendar/events

Deutschland: https://outlook.office.de/api/v2.0/me/calendar/events

Need another ClientID/ClientSecret

International: https://apps.dev.microsoft.com

Deutschland: https://portal.microsoftazure.de

Use different oauth2 scope

International: offline_access https://outlook.office.com/Calendars.Read

Deutschland: offline_access openid https://outlook.office.de/Calendars.Read

With all that, I can get an OAuth2 access token. But when I call

https://outlook.office.de/api/v2.0/me

or

https://outlook.office.de/api/v2.0/me/calendarview?startDateTime=2018-01-01T01:00:00&endDateTime=2018-10-31T23:00:00

with that token, I only get the following error:

Request Headers:
cache-control:"no-cache"
postman-token:"b765d2d1-9ffc-4016-8216-38678af4f245"
authorization:"Bearer AQA*** snip for security***gAA"
user-agent:"PostmanRuntime/7.1.5"
accept:"*/*"
host:"outlook.office.de"
cookie:"ClientId=DFDA316304974E36A43D11CF7BB6D8A3; OIDC=1; OpenIdConnect.nonce.v3.y7kDkk7dHuGjDZ9PZ_xiLj0CjfuLbQt629j5MuTcNp8=636667242602536754.c00ff4a6-e523-4dff-b1ce-24d1d024ce67"
accept-encoding:"gzip, deflate"

Response Headers:
server:"Microsoft-IIS/10.0"
request-id:"e59f5e5e-0980-4914-9087-064270bdd233"
x-calculatedfetarget:"LEJPR01CU002.internal.outlook.com"
x-backendhttpstatus:
0:"401"
1:"401"
x-feproxyinfo:"LEJPR01CA0057.DEUPRD01.PROD.OUTLOOK.DE"
x-calculatedbetarget:"FRXPR01MB0456.DEUPRD01.PROD.OUTLOOK.DE"
x-rum-validated:"1"
x-ms-diagnostics:"2000010;reason="ErrorCode: 'PP_E_RPS_INVALIDCONFIG'. Message: 'Invalid configuration. Check event log for actions.%0d%0a Internal error: Config directory does not exist; config directory must exist and be an absolute path:C:\Program Files\Microsoft Passport RPS\LiveIdConfig.'";error_category="invalid_msa_ticket""
x-besku:"Gen8"
x-diaginfo:"FRXPR01MB0456"
x-beserver:"FRXPR01MB0456"
x-feserver:
0:"LEJPR01CA0057"
1:"FRAPR01CA0084"
x-powered-by:"ASP.NET"
www-authenticate:"Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0003-0000-c000-000000000000@*,00000002-0000-0ff1-ce00-100000000002@84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.microsoftonline.de/common/oauth2/authorize", error="invalid_token",Basic Realm="",Basic Realm="",Basic Realm="""
date:"Mon, 09 Jul 2018 09:46:28 GMT"
content-length:"0"
Response Body:

What am I doing wrong?
What does PP_E_RPS_INVALIDCONFIG mean?
Where can I create the directory C:\Program Files\Microsoft Passport RPS\LiveIdConfig?

Andreas0xffff Andreas0xffff · Accepted Answer · 2018-07-12T09:44:41

The problem was the token. It was visually fine, but inside it was not.

With Office 365 Deutschland, you have to use the Azure Active Directory authentication endpoint V1.0 (no version number in the endpoint url means V1.0). For International, you should use the V2.0 endpoint.

The V2 enpoint wants the resource hint in the scope: https://outlook.office.com/Calendars.Read. The V1 endpoint ignores the scope (and the resource hint in it) and wants an additional OAuth2 uri parameter called resource. The errors did't pointed me in the right direction.

But it was documented (badly) at this point.

resource

recommended

The App ID URI of the target web API (secured resource).
To find the App ID URI, in the Azure Portal, click Azure Active Directory,
click Application registrations, open the application's Settings page, then click Properties.
It may also be an external resource like https://graph.microsoft.com.
This is required in one of either the authorization or token requests.
To ensure fewer authentication prompts place it in the authorization request to ensure
consent is received from the user.

I think it should say required with V1.0.

Here my working authorization endpoint call:

https://login.microsoftonline.de/common/oauth2/authorize?response_type=code&client_id=c9000000-0000-0000-0000-000000000007&redirect_uri=http://localhost:11184/&state=1P3S9RvgQyfd3xLXmbhPcYD12aNHYkBF&scope=offline_access%20Calendars.Read&resource=https://outlook.office.de

By the way: If you use the resource parameter with the V2.0 endpoint, it gives you the error:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=6262047e-0000-0000-0000-000000000007&redirect_uri=http://localhost:11184/&state=2pSIj7o7dJJ0bGIv0p1ZfRjK6DV2duwM&scope=offline_access%20https://outlook.office.com/Calendars.Read&resource=https://outlook.office.com

AADSTS90100: The 'resource' request parameter is not supported.

How to use Outlook REST API with 'Office 365 Deutschland'

1 Answers