0

Our application is going to do simple User.ReadBasic.All functions, which from what I understand do not require Admin permissions. Using the flow documented here: https://graph.microsoft.io/en-us/docs/authorization/app_only 

         POST https://login.microsoftonline.com/{tenantId}/oauth2/token              HTTP/1.1
         Content-Type: application/x-www-form-urlencoded

         grant_type=client_credentials
         &client_id=<clientId>
         &client_secret=<clientSecret>
         &resource=https://graph.microsoft.com

I am able to get a valid access token, however when calling the graph the following error message is returned:

         “code": "Authorization_IdentityNotFound",  "The identity of the calling application could not be established."

We have set up our app in the management console to have User.ReadAll.Basic permissions, and what is interesting is that I do get a successful result back from the API when I use my own credentials/token cache to spin up a ConfidentialClientApplication instance with the appId and secret and call AcquireTokenSilentAsync for the token:

      string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
        tokenCache = new SessionTokenCache(
            signedInUserID, 
            HttpContext.Current.GetOwinContext().Environment["System.Web.HttpContextBase"] as HttpContextBase);

        ConfidentialClientApplication cca = new ConfidentialClientApplication(
            appId, 
            redirectUri,
            new ClientCredential(appSecret), 
            tokenCache);

But we are creating a stateless, headless service that is going to have no user interaction and thus ideally we don't want to reply on user credentials and token cache to retrieve the access token. I’m not sure why one scenario works and the other is returning the IdentityNotFound error and any advice you have is welcome.

ranah
  • 707
  • 1
  • 6
  • 11
  • Were you able to solve this? I have the same problem – NBajanca Mar 22 '17 at 19:07
  • Hi @NBajanca yes it was an issue with regards to Admin permissions for the particular scope that we were trying to access. Once our app was granted access from an Admin to read directory data in our tenant we were able to query via app-identity (we decided to use a cert which is more secure than app secret) Let me know if you have any other questions – ranah Mar 24 '17 at 20:16
  • Thank you, I've found that as well meanwhile. I've created an issue in the Microsoft graph docs to see if they can explain better the scopes – NBajanca Mar 24 '17 at 20:23

1 Answers1

0

which from what I understand do not require Admin permissions.

AFAIK,When using client credentials flow ,we need to set application permission to app , delegate permissions are used for delegated flow .

You could try below code to get users using ADAL :

        string authority = "https://login.microsoftonline.com/a703965c-e057-4bf6-bf74-1d7d82964996";
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
        var result= await authenticationContext.AcquireTokenAsync("https://graph.microsoft.com", new ClientCredential("clientid", "clientsecret"));


        string sURL = "https://graph.microsoft.com/v1.0/users";

        WebRequest request1 = WebRequest.Create(sURL);
        request1.Method = "GET";
        request1.Headers.Add("Authorization", "Bearer " + result.AccessToken);
        HttpWebResponse response1 = (HttpWebResponse)request1.GetResponse();
        if (response1.StatusCode == HttpStatusCode.OK)
        {
            // some code
        }

You could set "Read all users' full profiles" application permission for Microsfot Graph(for testing):

enter image description here

Nan Yu
  • 26,101
  • 9
  • 68
  • 148