microsoft graph get access token that can be use to get user's calender

0
votes

My main purpose is to get User's calender by single admin access token. i am trying to get access token by following these steps.

URL :https://login.microsoftonline.com/{tenentId}/oauth2/v2.0/token Body client_id:client_ID scope:https://graph.microsoft.com/.default client_secret:client_secretID grant_type:client_credentials

this give me an access token but when i try to use this token to get the users data from this url https://graph.microsoft.com/v1.0/users i got this error

{ "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2021-04-20T11:13:13", "request-id": "66d3af76-xxxx-xxxx-xxxx-c39e7xxxxxx", "client-request-id": "66d3af76-xxxx-xxxx-xxxx-c39exxxxxx" } } } }

i have enabled all the permission required in my Azure app

1
microsoft-graph-apiaccess-tokenmicrosoft-graph-teamsmicrosoft-graph-mailmicrosoft-graph-calendar
Have you added Application permissions User.Read.All? You can parse the access token at jwt.ms and see if your roles claim has this permission. - Shiva Keshav Varma
yes.i have provided the premission but i cant see them in my JWT access token when i decode it .. what i assume is . i am making mistake in grant_type or scope am i giving the right values.? - Haseeb Ahmed
Scope is good, just do as I said in Answer box. If my posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions. See meta.stackexchange.com/questions/5234/… - Shiva Keshav Varma
Did it work for you? - Shiva Keshav Varma
yes i think its works. thanks for your support - Haseeb Ahmed

1 Answers

0
votes

Here you are using the App Context flow where you would be getting App token. Here you need to specify the Application permissions 'User.Read.All' in Azure AD App to work. Make sure you have granted admin consent for this permission. Then you would see that permission in the token and it allows you to get users from /users.

enter image description here

If you don't see the above grant admin consent button then you are not the global admin so you should as your admin to grant consent to this permission.