Unable to fetch using RoleManagement API endpoints in azure graph-api

1
votes

I'm trying to use the azure Graph API to fetch the users having a particular role. Code snippet below as how I generated the authToken

AuthenticationContext authenticationContext = new AuthenticationContext(_authString, false);
            ClientCredential clientCred = new ClientCredential(_clientId, _clientSecret);
            AuthenticationResult authenticationResult;
            if (_authenticationResult == null || true == CanAcquireToken)
            {
                authenticationResult = authenticationContext.AcquireTokenAsync(_resAzureGraphAPI, clientCred).GetAwaiter().GetResult();
                _authenticationResult = authenticationResult;
            }
            return _authenticationResult.AccessToken;

Snapshot of the list of permissions the Graph API has on my application: GraphAPI permissions on application

I did my reading from https://docs.microsoft.com/en-us/graph/api/rbacapplication-list-roleassignments?view=graph-rest-beta&tabs=http to understand the API endpoint and the required set of permissions for the Graph API on the corresponding appRegistration.

I have provided the graph API with required permission set on the application which is under review. However, the API request to

https://graph.microsoft.com/{{beta}}/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{{roleDefnId-Guid}}'

always keeps failing with the error details

Access token validation failure. Invalid audience

Note: The generated auth token is successfully fetching me info from "https://docs.microsoft.com/en-us/graph/api/approleassignment-get?view=graph-rest-beta&tabs=http" mentioned calls

1
azure-active-directorymicrosoft-graph-api
How did you generate the token? Could you update the steps in your question?Joy Wang-MSFT
Hey Joy, have edited my post with authToken generation code snippet and the list of permissions I have provisioned to the GraphAPI on the applicationJitesh Jumani
BTW, the https://graph.microsoft.com/{{beta}}/ should be https://graph.microsoft.com/beta/, did you use the correct one?Joy Wang-MSFT
The entire URL I was referring to was "graph.microsoft.com/beta/roleManagement/directory/… eq 'Guid'" for this I have a doubt how would it check for the right application I'm referring toJitesh Jumani
Check my answer, any update?Joy Wang-MSFT

1 Answers

0
votes

The permission of your app is correct, Directory.ReadWrite.All application permission is enough. I also test your code, it works fine.

Make sure the _resAzureGraphAPI in your code is https://graph.microsoft.com (just confirm it again, I know if it is wrong, you will not be able to call the api in your Note). I can just reproduce your issue with a wrong one, e.g. https://graph.windows.net.

If the _resAzureGraphAPI is correct, decode your token in https://jwt.io/, see it is the same as below.

enter image description here