0
votes

We are using /v1.0/me/people api to get Relevant People for the user from MS Graph. The current setup has been working from October, 2017 to April, 2018 and now the API calls are returning 403 Forbidden. What i found is that this API now requires People.Read scope to work (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_list_people). My current token has scopes : User.Read User.Read.All User.ReadBasic.All. I have tried to modify the permissions in App Registrations from Azure Portal and have saved with this permission under MS Graph - "Delegated Permissions": "Read users' relevant people lists". But still my token does not seem to have People.Read scope. And the graph api is returning 403.

Attaching a sample of my JWT token as well : eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEWHpaM2lmci1HUmJEVDQ1ek5TRUZFTE8wUnB0OU16N19TX3BRVC1VeFBld0kxQndycmd3OGdHc1Y5b054R1h2eFA2WXhITlB5cWE3aTFDNzFsRkVQclltUmdnczRySnhPNzlFRmlqV0lnZmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiN19adWYxdHZrd0x4WWFIUzNxNmxValVZSUd3Iiwia2lkIjoiN19adWYxdHZrd0x4WWFIUzNxNmxValVZSUd3In0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3LyIsImlhdCI6MTUzMzI4OTUxOCwibmJmIjoxNTMzMjg5NTE4LCJleHAiOjE1MzMyOTM2NzgsImFjY3QiOjAsImFjciI6IjEiLCJhaW8iOiJBVVFBdS84SUFBQUFrR3IwbG14OHZMcVFacElaeHlHM0x6V0FRbUdkUVA3K2hwK3JXbTQ5MmJtWmRyQ2VDczBqeDVSMHk3ZkZhQ1lNM3B0UWVYQjVVMVNoYm1ZSGdiaGRMUT09IiwiYW1yIjpbIndpYSIsIm1mYSJdLCJhcHBfZGlzcGxheW5hbWUiOiJQaW5nU2VydmljZXNMb2NhbCIsImFwcGlkIjoiYTA3MDQ5MTYtMjc4Zi00ZTM3LWI1NDYtNTJjNjlhNGIyYTlkIiwiYXBwaWRhY3IiOiIxIiwiZV9leHAiOjI2MzA2MCwiZmFtaWx5X25hbWUiOiJCZXJhIiwiZ2l2ZW5fbmFtZSI6IlNvdXJhamVldCIsImluX2NvcnAiOiJ0cnVlIiwiaXBhZGRyIjoiMTY3LjIyMC4yMzguMjciLCJuYW1lIjoiU291cmFqZWV0IEJlcmEiLCJvaWQiOiJhZjBhZjE0Zi0wOTljLTQxYTktYWJjZC02NmJkZDI0NDg4N2IiLCJvbnByZW1fc2lkIjoiUy0xLTUtMjEtMjE0Njc3MzA4NS05MDMzNjMyODUtNzE5MzQ0NzA3LTE0NDU2ODMiLCJwbGF0ZiI6IjMiLCJwdWlkIjoiMTAwMzdGRkU4MjE4RTU3MiIsInNjcCI6IlVzZXIuUmVhZCBVc2VyLlJlYWQuQWxsIFVzZXIuUmVhZEJhc2ljLkFsbCIsInN1YiI6IkE0N2R0SzlEMW1zUG42SGliNE9ZcWNEam5PNW41MUw1OVh2ZGFPZUxOaVEiLCJ0aWQiOiI3MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDciLCJ1bmlxdWVfbmFtZSI6InNvYmVyYUBtaWNyb3NvZnQuY29tIiwidXBuIjoic29iZXJhQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiIxTzEzUl9kZmNrcUF6S3JiYUZJRUFBIiwidmVyIjoiMS4wIn0.Wf6Q51AwRIpliIn-3iyyAP9JFQONvc-5ij60gHjp9WJGzJY2BMDudQNRLTo8VTNhbOr7zSEjZkC1eKikumDpsoD0wblemCfpb56jNPLe8SFCHdqbtnxQGu-KHLp4io40-QPYfVnzvKRG9ZV-xauxorjXSeIx6W6rHNz3WR6Gmz5KwR-fqlutN-8yWYu_LK1S0bkuQOPGO3tGYp2cZnwbOverv3O0ZBeYAkNC_N1ssLES4dElzp_YieU3w7F5RqJbdQmQKwBgH4UJf_YSlzGnUQNqmIgpdK3jFtTP-IbvFIVDNcIElViFwa0zmQLAPilcbxr6gtFWI72sFlDxDPpI_Q

3
I am not sure if you want to publish your access token publicly. It contains data such as ip-addresses, users E-Mail or your tenant-id. Just a friendly hint as I'm not sure if you are comfortable with it.Karlheinz Reinhardt
Have you tried to test it the Microsoft graph explorerTom Sun - MSFT

3 Answers

2
votes

Every time you change the permissions of your app the Authorization- or Admin-Consent has to be repeated.
This is for security reasons so no App can silently obtain more rights and spy/harm users.

It seems that the Authorization-Request was not repeated, as you still have all your old permissions.

I dont know how you generate your access-token, but you are most likely using a refresh token, as in this way of generating an access-token the user does not reauthorize your app, thus the Authorization was never repeated with your newly added permissions.

If this applies to you try to repeat your consent, then fetch a new token (just to be sure this not over the refresh token) and check if the problem still persists.

0
votes

Sometimes when changing permissions after registring an app, token caching causes your app to use and old token. Easiest way to fix this is to Log out in your application and go back to your loginpage, in the addressbar add '&prompt=consent' at the very end (so login.microsoftonline.com/blabla&prompt=consent) and hit enter. You will now be prompted to give your consent again when logging in.

Also be careful with sharing your token online, you can use jwt.ms to reveal the data behind your token and simply copy paste the relevant stuff here.

0
votes

For a while the /me/people API was accepting User.Read. It was updated at around the time you mentioned so that it matches its documentation which requires either People.Read or People.Read.All depending on the call you are making.