0

Using the office 365 Outlook REST API (version 2), I have a web application managing outlook subscriptions to specific mail boxes. I've been able to use the examples to obtain a token and call the API using the authorization code flow, successfully.

But now, I want to use a client credential flow and get a token using Azure AD authentication via delegate permissions (I gave the application all possible delegate permissions under office 365 exchange online). Similar to what I've seen here: Get Office 365 API access token without user interaction

I've registered my application and gotten my tenant ID, client ID & secret. I've been able to get a token but when I try to use it, I get 401, unauthorized back.

Here's how I'm getting the token: 

AuthenticationContext authContext = new AuthenticationContext($"{authority}{tenantId}");
clientCredential = new ClientCredential(client_Id, secret);
authResult = await authContext.AcquireTokenAsync(resource, clientCredential);
authResult.AccessToken;

And here's how I'm trying to use the API (trying to delete the subscription using REST sharp in this code): 

var token = await GetOtherToken(account);
rc = new RestClient("https://outlook.office.com/api/v2.0");                    
rc.AddDefaultHeader("Authorization", $"Bearer {token}");                        
request = new RestRequest($"me/subscriptions('{restSubId}')", Method.DELETE);
request.AddHeader("Content-Length", "0");
request.AddHeader("Content-Type", "multipart/form-data");

Looks like this is not possible. Please, someone, drop some knowledge. Thanks for reading.

Community
  • 1
  • 1
punished.snake
  • 155
  • 1
  • 9

1 Answers1

0

When using client credential flow to acquire a token for resource , you are using application identity instead of as a user's identity. So you should assign application permission for your app(not delegate permissions) . In addition , since you are using app identity instead of user's identity , api can't recognize me(https://outlook.office.com/api/v2.0/me) . Please click here for how to build service and daemon apps in Office 365 .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • Thanks for helping me out. Is there a way to leverage delegate permissions without UI interaction? I used _me_ cause I didn't want to post my email. I understand that the API is supposed to use the user email? For example: user@domain.com? – punished.snake May 17 '17 at 14:55
  • You could use [Resource Owner flow](https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/) , and if using client credential flow ,you could query special user information by passing email . – Nan Yu May 18 '17 at 01:56
  • Thanks, I'll planning to try both. Although the resource owner flow seems simple enough, I'm stuck on that link you gave me (to build the service / daemon app): configuring the certificate is confusing. – punished.snake May 18 '17 at 16:47