12

I am trying to log in as my registered app, with the permissions granted on: Azure Portal > App registrations > App registrations (Preview) > My App Name - API permissions

According to this documentation, I have to pass my resource identifier (APP ID URI) in the scope parameter when requesting a token. I am certain that this scope parameter is the one causing me problems.

I have tried different parameters of the scope.

  1. https://graph.microsoft.com/.default: This works for basic functions, like reading the calendar but I believe that the default permissions are very little for my needs. Since this works, I believe my other parameters are correct, and the scope is the problem.

  2. [APP-ID]/.default: This gives me a successful response, however, whenever I try to make any request, including the basic read calendar request, I get InvalidAuthenticationToken. I can assure you that I am passing the correct token retrieved from the token request.

  3. Multiple different URL combinations based on online suggestions. All of them return

    "The resource principal {resource-url} was not found in tenant {id}.

I strongly believe the problem is that I am not passing the correct APP ID URI for my application. Can anyone tell me where I can find this resource? Everything I have searched online is 2+ years old and does not seem to be the same for the new Azure portal.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Minhal Shanjer
  • 263
  • 2
  • 3
  • 9
  • 2
    2 ways you can find APP ID URI.. 1) Edit manifest and look for `identifierUris` 2) Go to your Azure AD > App Registrations > Your app registration > Properties.. https://i.stack.imgur.com/V04A0.png – Rohit Saigal Apr 04 '19 at 18:01
  • You need to pass the identifier for the API that you want to call. Not your URI. If you use ".default", you should define the app permissions in the API Permissions and grant them. Note you need app permissions, not delegated permissions. – juunas Apr 04 '19 at 18:02
  • 1
    I searched for identifierUris in manifest, I got: "identifierUris": []. This leads me to believe that I do not have an APP ID URI which is weird. – Minhal Shanjer Apr 04 '19 at 18:08
  • Hello juunas, I have granted and approved the app permissions according to the API-Permission page. When you say 'pass the identifier' do you mean the App ID? I tried doing [APP-ID]/.default, but that did not seam to work. I will try [APP-ID] as a standalone. – Minhal Shanjer Apr 04 '19 at 18:10
  • That is because you may not have set any App ID URI for you application yet.. Nevertheless.. I think @juunas has already explained it well.. you need the identifier for the API you're about to call.. or want to acquire the token for.. so it will be graph api's identifier which I suppose would be `https://graph.microsoft.com ` – Rohit Saigal Apr 04 '19 at 18:12
  • I think I understand what you mean, I'll try it and respond. – Minhal Shanjer Apr 04 '19 at 18:14
  • Ok, thanks everyone. I think my misunderstanding was that the first option specified in my question gets the default msgraph permission. But I believe it actually grants the permission related to the app. – Minhal Shanjer Apr 05 '19 at 13:19

1 Answers1

4

For Client Credentials (i.e. getting a token without a user), you need to pass https://graph.microsoft.com/.default as your scope.

The permissions https://graph.microsoft.com/.default provides are the "Application permissions" you specified when registering the application in the portal:

enter image description here

Once you've added all the "Application permissions" you need for your application, you need to "Grant consent" for those scopes in your tenant (this is the button at the bottom of the API permissions tab.

Once you have these in place, you need issue a POST to the /token endpoint (line-breaks are just for readability, this should be a single string):

POST https://login.microsoftonline.com/{{tenantDomain}}/oauth2/token
Content-Type: application/x-www-form-urlencoded

client_id={your-app-id}
&scope=https://graph.microsoft.com/.default
&client_secret={your-client-secret}
&grant_type=client_credentials

This will return you something like this:

{
    "token_type": "Bearer",
    "expires_in": "3600",
    "ext_expires_in": "3600",
    "expires_on": "1554431330",
    "not_before": "1554427430",
    "resource": "00000003-0000-0000-c000-000000000000",
    "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZS..."
}

When you call into Graph you need to set the Authorization header to token_type access_token. So calling /users would look like this:

GET https://graph.microsoft.com/v1.0/users
Authorization:"Bearer eyJ0eXAiOiJKV1QiLCJub25jZS..."
Host:"graph.microsoft.com"
Accept:"application/json"
Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • @MinhalShanjer ,MarcLaFleur , I am facing a similar problem. I am making a request to fetch access token using the Microsoft Graph explorer. I have followed all steps as mentioned in your answer, but I don't receive any response. Ideally I should get a json containing the token. – Ayush Nov 11 '19 at 09:13
  • You can check my complete question here: https://stackoverflow.com/questions/58798338/unable-to-get-access-token-from-azure-ad-when-using-microsoft-graph-explorer – Ayush Nov 11 '19 at 09:15