Microsoft OAuth 2.0 Client Credentials - Unable to retrieve permission to scope even with Granted Admin Consent on Azure

1
votes

I am working on daemon service that retrieves the list of contacts from Microsoft Graph, that does not prompt Microsoft Authentication to the user. However, I'm not able to retrieve the permissions I set in Microsoft Azure even with granted admin consent.

I use Postman to generate a token with the following information.

https://login.microsoftonline.com/0835055b-8a00-4130-b07a-037430dd000d/oauth2/v2.0/token

The following json is the result I get

{
    "token_type": "Bearer",
    "scope": "profile openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default",
    "expires_in": 3600,
    "ext_expires_in": 3600,
    "access_token": "{MY_TOKEN_HERE}"
}

Token is generated successfully but the token returned does not include the permission with granted admin consent I set in MS Azure at portal.azure.com > Registered App > API Permission.

I have Microsoft Graph - Users.Read and Contacts Read with green ticks on admin consent required. See image below:

Microsoft Azure - API Permission

And without the scope, I'm not able to retrieve the list of contacts with given token.

{
    "error": {
        "code": "ErrorAccessDenied",
        "message": "Access is denied. Check credentials and try again.",
        "innerError": {
            "request-id": "63a24a22-34f7-42a1-a9d5-d7aaf598f4d6",
            "date": "2019-07-01T02:59:15"
        }
    }

}

Is there anything I missed? I assumed when the admin has granted consents, I should be able to include the API in scopes to generate tokens.

I saw there is a similar issue here but there is no solutions that work for me: Microsoft graph API: Unable to fetch users with the generated access token

1
azureoauth-2.0azure-active-directorymicrosoft-graph-api
What API are you calling? I can see that you added User.Read in delegated permissions, which is cannot be obtained in access_token via client_credentials flow. You need to add Application permissions for client_credentials flow.Wayne Yang
You can also use https://jwt.ms to decode your access token with debugging purpose to check if it contains enough permissions. For user delegated permissions, it's in scp claim, For application permission, it's in rolesclaim. Reference: docs.microsoft.com/en-us/azure/active-directory/develop/…Wayne Yang
@Wayne, Thanks for replying! I'm trying to call "graph.microsoft.com/v1.0/me/contacts" but it returns AccessDenied. I also tried to use jwt but I don't see the scope "Contacts.Read" in itBluey Blue
I have Graph -> Contacts.Read under Application Permissions, but it didn't show up in my scopes. I don't have [roles] claim either..Bluey Blue
Thanks for your information. May I know have you consented that permissions already? If not, please use an global admin account to click Grant admin consent button in your app registration.Wayne Yang

1 Answers

1
votes

Based on your screenshot, the contacts.read you granted is an application permission. And, you have only one delegated permission: user.read .

However, if you want to call the graph api : graph.microsoft.com/v1.0/me/contacts , you need to use delegated permission. It will represent the user. So you can get the information for "me". And based on the official documentation , you need to grant the Contacts.Read (Contacts.ReadWrite for writing) delegated permission.

enter image description here

If you want to use application permission, then you need to get access token with client credentials flow. Token got in this way can be used for application permission. And you should call the api as following : graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts