Microsoft Graph Access Token contains wrong permission for contacts API

1
votes

So basically I need to access the contacts of an office 365 user. I use the Microsoft graph API and I successfully can get all the contacts via an HTTP GET in a JSON. But now I'm trying to write a JSON to the https://graph.microsoft.com/v1.0/me/contacts API with an HTTP POST, but I get a 403 - Permission Denied every time. So I went to https://jwt.io/ and checked my access token and saw that I don't have the permissions to write in the contacts.

I get those permissions:

"scp": "Contacts.Read openid profile User.Read"

Even though I only set Contacts.ReadWrite in the App Registration settings on the Azure portal.

Permissions

I've tried updating the permissions but that didn't help.

1
azureapipermissionsazure-active-directorymicrosoft-graph-api

1 Answers

0
votes

If you have changed the permissions, users need to consent again.

enter image description here

You can force user consent through a url request, append &prompt=consent to the authentication request URL.

https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id={your_client_id}
&response_type=code
&response_mode=query
&resource=https://graph.microsoft.com
&state=12345
&prompt=consent

Or you just grant consent on behalf of all users in this directory. Granting admin consent for all users means that end users will not be shown a consent screen when using the application.

enter image description here