Use Graph API to get contacts from Outlook.com

0
votes

I am trying to get a list of contacts via Graph API. In the portal.azure.com I went to App registrations and did a new registrations. I created secrets and added permission (picture below) enter image description here

I am connecting to Graph API with this code

$Body = @{
    'tenant' = $TenantId
    'client_id' = $ClientId
    'scope' = 'https://graph.microsoft.com/.default'
    'client_secret' = $ClientSecret
    'grant_type' = 'client_credentials'
}


$Params = @{
    'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
    'Method' = 'Post'
    'Body' = $Body
    'ContentType' = 'application/x-www-form-urlencoded'
}

$AuthResponse = Invoke-RestMethod @Params

$Headers = @{
    'Authorization' = "Bearer $($AuthResponse.access_token)"
}

$Result = Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/users' -Headers $Headers

However I get the error message

*Invoke-RestMethod : { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2020-09-04T17:54:13", "request-id": "2113f712-f022-4ebc-8263-d26c469840d0" } } } At line:31 char:11

  • $Result = Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/us ...
  •       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand*

I assume when I get the user ID then I should be able to call https://graph.microsoft.com/v1.0/users/ID/contacts API and I should be able to create/delete contacts. What am I missing or how can I achieve it please?

1
powershellapi
With any of Directory.Read.All and User.Read.All I had access to that call. Can you double check in the API Permissions page and confirm that the Status Column show Granted for Org message ? If not, you need to click the Grant admin consent for Org button in that page each time you change the permissions in order for the new selected permission to take effect. If the application is registered in a different directory than the one it is used against, you will need to give an admin consent too (by building the special admin consent URL)Sage Pourpre
Thanks Sage, there is the issue. I have only standard Outlook.com account and I cannot consent the app. I changed the type to delegate access but struggling to get access token. Do you know by a chance how it can be accessed? Thankstriskac
Ha, I missed the outlook part. I am used to work more with Azure org. Yeah, I think my answer below will sort your issue.Sage Pourpre

1 Answers

0
votes

Edit: I don't believe my answer is accurate as the "Me" endpoint won't work with the client_credential flow.

Original answer --

The Users endpoint is to query all users in your organization, which is different from contacts.

To get your outlook.com contacts, you need to have the following delegated permission in your application.

You will need to grant your application one of the following permissions

permissions (delegated)

  • OrgContact.Read.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Directory.AccessAsUser.All

The endpoint you will be using is : https://graph.microsoft.com/v1.0/me/contacts

You can experiment the different endpoints with Microsoft Graph explorer. The website will also inform you of the required permissions for each calls (through the Modify permissions tab) and give you insights on all aspects of the call itself.