How to get Organization details in AzureChina Region using Microsoft Graph APIs in Postman using Device code Authentication?

0
votes

Trying get Organization details in AzureChina Region using Microsoft Graph APIs in Postman using Device code Authentication

The Steps I am following are as below in postman

  1. Create Device Code using power-shell client ID https://login.chinacloudapi.cn/common/oauth2/v2.0/devicecode?client_id=1950a258-227b-4e31-a9cf-717495945fc2&scope=https://microsoftgraph.chinacloudapi.cn/.default

  2. Login as Global Administrator from browser using received short code https://microsoft.com/deviceloginchina

  3. Get the Access token https://login.chinacloudapi.cn/common/oauth2/v2.0/token using

    • grant_type = urn:ietf:params:oauth:grant-type:device_code
    • client_id = 1950a258-227b-4e31-a9cf-717495945fc2
    • device_code= "Device Code Received From First Request"

  4. Now trying to get the to get the organization details using access token received in above step using API https://microsoftgraph.chinacloudapi.cn/v1.0/organization

This request is failing with following error

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2021-02-02T13:47:13",
            "request-id": "c94777b2-2af5-4827-812d-6399f9621ee3",
            "client-request-id": "c94777b2-2af5-4827-812d-6399f9621ee3"
        }
    }
}

It will be helpful if can point me the failure reason for getting organization details

Note :

  1. I am able to get the response properly in postman if I create access token using AZ cli utility and use it in postman
  2. Get organization api works with graph explore (china) also

[Decoded Access Token screen shot] [1]: https://i.stack.imgur.com/npKG7.png

2
azuremicrosoft-graph-apioffice365azure-china
Use jwt.ms to parse your access token and provide screenshots.Carl Zhao
Image link for decoded access token screen shot : i.stack.imgur.com/npKG7.pngMahesh Surkar
Try to grant Organization.Read.All delegation permission for your application.Carl Zhao

2 Answers

0
votes

As your error message says, you lack the permission to read organization information. According to the screenshot of your token, you currently only have the permission to read audit log data.

Therefore, you need to grant Organization.Read.All delegation permission for the application, and grant the admin consent for the permission. Finally, you will be able to call the api to read the organization information.

0
votes

AZURE_CLI_CLIENT_ID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"

It worked (tested for Azure China, Azure Public cloud)

AZ CLI (Microsoft Python utility/library) uses the same

https://azuresdkdocs.blob.core.windows.net/$web/python/azure-identity/1.1.0/_modules/azure/identity/_constants.html