Querying /policies/authenticationFlowsPolicy from Microsoft Graph Beta endpoint

0
votes

I am trying to get all the policies possible for a tenant using the Microsoft Graph API.

Currently, I am running into an issue with a request to this endpoint: https://graph.microsoft.com/beta/policies/authenticationFlowsPolicy

I am using an application registered in my tenant and have given it the necessary Policy.ReadAll and Policy.ReadWrite.AuthenticationFlows permission as defined in the docs.

Here's what my API permissions look like in the Azure Portal Azure Portal

However, I get this weird error:

{
  "error": {
    "code": "AADB2C",
    "message": "User Authorization: Access is denied.",
    "innerError": {
      "correlationId": "42c3423b-b1a3-42ee-9868-c3d18bbe0e8b",
      "date": "2021-01-14T18:45:11",
      "request-id": "6c9015d2-e320-41b5-85cf-0199b54d1198",
      "client-request-id": "6c9015d2-e320-41b5-85cf-0199b54d1198"
    }
  }
}

My tenant is not a B2C tenant, so what is this?

Interesting things I've noticed: When I use the graph explorer logged in as a global admin, I am able to query that endpoint. This is the response I get:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authenticationFlowsPolicy/$entity",
    "id": "authenticationFlowsPolicy",
    "displayName": "Authentication flows policy",
    "description": "Authentication flows policy allows modification of settings related to authentication flows in AAD tenant, such as self-service sign up configuration.",
    "selfServiceSignUp": {
        "isEnabled": false
    }
}

The web application I'm developing calls Microsoft graph to get an access token using the client_credentials grant_type. I use the Application ID and Application Secret to get an access token to perform these requests.

Anyone know what might be my issue, and how I could solve this? I have not been able to find a clear answer or explanation as to why this request isn't working.

Edit:

Here is what my JWT looks like for the application:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/2b13d287-fc73-46c4-9803-0c4cc0fb8707/",
  "iat": 1610670358,
  "nbf": 1610670358,
  "exp": 1610674258,
  "aio": "E2JgYDi/9NvXFY4udyr5X/xm9p/sBQA=",
  "app_displayname": "ucic-endpoint",
  "appid": "f55c9031-dec0-47c4-8d25-b61c7dd1cc48",
  "appidacr": "1",
  "idp": "https://sts.windows.net/2b13d287-fc73-46c4-9803-0c4cc0fb8707/",
  "idtyp": "app",
  "oid": "49f39001-30d5-42cf-8754-f4d2502c4d22",
  "rh": "0.AAAAh9ITK3P8xEaYAwxMwPuHBzGQXPXA3sRHjSW2HH3RzEhSAAA.",
  "roles": [
    "User.ReadWrite.All",
    "Policy.ReadWrite.AuthenticationFlows",
    "Policy.ReadWrite.ApplicationConfiguration",
    "Directory.ReadWrite.All",
    "User.Invite.All",
    "User.Read.All",
    "Policy.Read.All"
  ],
  "sub": "49f39001-30d5-42cf-8754-f4d2502c4d22",
  "tenant_region_scope": "NA",
  "tid": "2b13d287-fc73-46c4-9803-0c4cc0fb8707",
  "uti": "YD03wmyyvUO86aVsJ4AEAA",
  "ver": "1.0",
  "xms_tcdt": 1585168975
}

This is what the access token looks like when I perform the request from Graph Explorer

{
  "aud": "00000003-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/2b13d287-fc73-46c4-9803-0c4cc0fb8707/",
  "iat": 1610669274,
  "nbf": 1610669274,
  "exp": 1610673174,
  "acct": 0,
  "acr": "1",
  "acrs": [
    "urn:user:registersecurityinfo",
    "urn:microsoft:req1",
    "urn:microsoft:req2",
    "urn:microsoft:req3",
    "c1",
    "c2",
    "c3",
    "c4",
    "c5",
    "c6",
    "c7",
    "c8",
    "c9",
    "c10",
    "c11",
    "c12",
    "c13",
    "c14",
    "c15",
    "c16",
    "c17",
    "c18",
    "c19",
    "c20",
    "c21",
    "c22",
    "c23",
    "c24",
    "c25"
  ],
  "aio": "ASQA2/8SAAAAgY7CqdLXB3yrB6Mys5jkqtPKVEgTHYgXYaeqYtBb4sY=",
  "amr": [
    "pwd"
  ],
  "app_displayname": "Graph explorer (official site)",
  "appid": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
  "appidacr": "0",
  "idtyp": "user",
  "ipaddr": "12.207.18.194",
  "name": "Administrator",
  "oid": "b2d12f10-42eb-44a7-ba56-76ed8d268055",
  "platf": "3",
  "puid": "10032000A881CA7C",
  "rh": "0.AAAAh9ITK3P8xEaYAwxMwPuHB7XIi9752bFIqK23SNpyUGRSAAw.",
  "scp": "Calendars.ReadWrite Chat.Read Chat.ReadBasic Contacts.ReadWrite DeviceManagementConfiguration.Read.All DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All DeviceManagementRBAC.Read.All DeviceManagementServiceConfig.Read.All Directory.ReadWrite.All Files.ReadWrite.All Group.ReadWrite.All IdentityRiskEvent.Read.All Mail.Read Mail.ReadWrite MailboxSettings.ReadWrite Notes.ReadWrite.All openid People.Read People.Read.All Place.Read Policy.Read.All Policy.Read.ConditionalAccess Policy.Read.PermissionGrant Policy.ReadWrite.ApplicationConfiguration Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.Authorization Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.ConsentRequest Policy.ReadWrite.DeviceConfiguration Policy.ReadWrite.FeatureRollout Policy.ReadWrite.PermissionGrant Policy.ReadWrite.TrustFramework Presence.Read Presence.Read.All profile Reports.Read.All Sites.ReadWrite.All Tasks.ReadWrite User.Export.All User.Invite.All User.ManageIdentities.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All email",
  "sub": "Hi_D6BEuypaElwi2021X5VX6HfX-PXHEdghMXtKM21Q",
  "tenant_region_scope": "NA",
  "tid": "2b13d287-fc73-46c4-9803-0c4cc0fb8707",
  "unique_name": "[email protected]",
  "upn": "[email protected]",
  "uti": "rtRFD1UbsUmnTB-2DicBAA",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012177145e10",
    "b79fbf4d-3ef9-4689-8143-76b194e85509"
  ],
  "xms_st": {
    "sub": "O1oVLPpYMLQUaf1LY5lh99yUz56LH9dOZl1IWIMKlJw"
  },
  "xms_tcdt": 1585168975
}
1
azure-active-directorymicrosoft-graph-api
Use jwt.ms to parse your access token and provide screenshots.Carl Zhao
@CarlZhao I have udpated my post to include those JWTs. The issue though, is that my applciation doesn't use delegated permissions. It uses application permissions. Doesn't Graph Explorer use delegated permissions?deathcat05
Graph Explorer uses user/password flow, and it defaults to delegate permissions.Carl Zhao

1 Answers

1
votes

Involving the AADB2C error, it is definitely necessary to log in to the user, so you cannot use the daemon-based client_credentials grant_type, because it generally has no user interaction, you should use the auth code flow to obtain access token, which requires you to log in to the user and obtain the authorization code, then use the authorization code to redeem the access token.

By the way, I just used the client_credentials flow to do a test. It prompts me to log in as a user. This is strange because the document states that the application permissions can be used, so I think this may be an unknown error.

In addition, calling the api also requires the user to have an administrator role:

You must have one of the following user roles for access: External ID User Flow Administrator, External ID User Flow Attribute Administrator, External Identity Provider Administrator, Application Administrator, Security Administrator, Security Reader, Global Reader, Global Administrator.