3

Below is the code that I have put to invite a user in Azure AD.

I get an "unauthorized" response. I am not sure what permission/setting are missing. Do anyone have the idea.

string accessToken = await AuthenticationHelper.GetTokenForApplication ();
InvitationModel invite = new InvitationModel ();
invite.invitedUserEmailAddress = user.Email;
invite.inviteRedirectUrl = ConfigurationManager.AppSettings["InviteRedirectUrl"];
invite.sendInvitationMessage = true;
using (HttpClient client = new HttpClient ()) {
    client.BaseAddress = new Uri ("https://graph.microsoft.com");

    client.DefaultRequestHeaders.Accept.Add (
        new MediaTypeWithQualityHeaderValue ("application/json"));

    client.DefaultRequestHeaders.Authorization =
        new AuthenticationHeaderValue ("Bearer", accessToken);

    HttpResponseMessage response =
        client.PostAsJsonAsync<InvitationModel> ("v1.6/invitations", invite).Result;

    dynamic inviteResult =
        response.Content.ReadAsAsync<dynamic> ().Result;

    if (inviteResult.status != "Error") { }
}
Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • v1.6? You might be mixing Azure AD Graph and Microsoft Graph. MS Graph versions at the moment are v1.0 and beta AFAIK. – juunas Jan 04 '18 at 12:57
  • @juunas I have replaced it with v1.0 but I still get the Unauthorized error. what could be that I am missing. –  Jan 04 '18 at 17:41
  • message : Access token validation failure –  Jan 04 '18 at 17:46
  • I have made few changes and now see this error Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite But i do have given the right permission to read/write AD data to the application from azure portal. –  Jan 04 '18 at 17:53
  • I have added the code sample in you another [so thread](https://stackoverflow.com/questions/48093480/how-to-invite-user-in-azure-ad-programmaticaly-using-microsoft-azure-activedirec/48419406#48419406). – Tom Sun - MSFT Jan 25 '18 at 01:00

1 Answers1

7

You're problem is that you conflating Microsoft Graph and Azure AD Graph here. These are two distinct APIs with different calling conversions and permission scopes.

In order to create an Invitation you will need one of the following permission scopes (Note that the first is the most restrictive permission (globally), the last the most permissive):

  • User.Invite.All
  • User.ReadWrite.All
  • Directory.ReadWrite.All

Note that all of these scopes are admin-restricted and will require Admin Consent before you can use them

Once you have a valid token, you'll need to make a POSTcall to https://graph.microsoft.com/v1.0/invitations with the following body:

{
  "invitedUserEmailAddress": "yyy@test.com",
  "inviteRedirectUrl": "https://myapp.com"
}

Since you're using C#, I would strongly recommend using Microsoft Graph Client Library rather than hand-rolling your own HttpClient calls.

Elanis
  • 184
  • 3
  • 12
Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • 1
    Thank you. Do you have link to the sample code of Microsoft Graph Client Library, because I dont find any –  Jan 05 '18 at 01:35
  • There are a lot of samples available at https://github.com/microsoftgraph/ but I'd suggest starting with the [UWP Snippets](https://github.com/microsoftgraph/uwp-csharp-snippets-sample) sample first. Even if you're not using UWP, the C# code in there should be portable enough. It's also a great sandbox to play around with the SDK. – Marc LaFleur Jan 05 '18 at 16:21
  • Thanks, this solution did also work for me in an Azure PowerShell Runbook scenario with New-AzureADMSInvitation – Kai Walter Jan 12 '19 at 18:53
  • FYI for anybody looking for this solution. Azure AD Graph is now deprecated and everybody should be using the Microsoft Graph API – fei0x Aug 30 '23 at 15:08