Unable to obtain access token for calling Microsoft Graph APIs

0
votes

I am following the steps as here: https://docs.microsoft.com/en-us/graph/auth-v2-service I registered a mock app and added app permissions to Graph. None of the permissions require Admin Consent so I skipped that step. I then called the API (from Postman) https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token using client_id, scope, client_secret, grant_type. For 'scope' i use 'https://graph.microsoft.com/.default' and for 'grant_type' the value is 'client_credentials'. I get error:

"error": "invalid_request",
  "error_description": "AADSTS9002331: Application 'xxxxxxxxxxx' is configured for use by Microsoft Account users only. Please use the /consumers endpoint to serve this request.\r\nTrace ID: 67375d76-2f9d-4fb1-b1dd-3286fad85a00\r\nCorrelation ID: e217e9ff-2696-495f-9657-f2bb1d7066cf\r\nTimestamp: 2020-09-18 07:46:39Z",
  "error_codes": [
    9002331

What I am missing ?

2
azureazure-active-directorymicrosoft-graph-apimicrosoft-teams
can you please try with curl curl -X POST -d “grant_type=client_credentials&client_id=clientid&client_secret=secret&scope= https%3A%2F%2Fgraph.microsoft.com%2F.default” https://login.microsoftonline.com/tenantid/oauth2/v2.0/token and let us know if it helps - Sruthi J
what are you trying to achieve? while using client credentials flow, you need app permissions that require admin consent from what i know - Thomas
During app registration did you enable support for all account types as documented here in step 3? Could you please conform - Nikitha-MSFT
@Nikitha-MSFT I selected Microsoft Personal accounts only. The link that you sent is not available on the relevant docs. I can try if you say so (by registering another app). Also I believe admin consent is not needed for my use case where I want an app which uses its own identity (does not need to sign-in on behalf of a user). - NKM
Using 'curl' i get the same error. - NKM

2 Answers

1
votes

Personal accounts that are used to sign in to services like Xbox and Skype.

Daemon applications can be used only with Azure AD organizations. Please don't use daemon applications to manipulate Microsoft's personal accounts. Admin consent will never be granted.Please refer to this document

To know more details on account types please refer to this document

how to register the app to use client credential flow please follow this document

0
votes

For getting Bearer token from MS-Graph-api for grant_type: client_credentials below curl command worked for me. Replace relevant values with yours in below curl command and this doesn't requires or I didn't provide any delegated or application permissions to get this bearer token.

curl --location --request POST 'https://login.microsoftonline.com/{tenant_ID}/oauth2/v2.0/token' --header 'Content-Type: application/x-www-form-urlencoded'  --data-urlencode 'grant_type=client_credentials' --data-urlencode 'client_id={client_id}' --data-urlencode 'client_secret={client_secret}' --data-urlencode 'scope=https://graph.microsoft.com/.default'