How to get a list of users from azure graph API

Question

I am trying to get a list of users from azure ad using graph api. I have got the access token by using the below query:

https://login.microsoftonline.com/<tenant-Id>/oauth2/token

I got below response:

{
    "token_type": "Bearer",
    "expires_in": "3600",
    "ext_expires_in": "3600",
    "expires_on": "1559555742",
    "not_before": "1559551842",
    "resource": "https://graph.microsoft.com",
    "access_token": "eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEQ29NcGpKWHJ4VHE5Vkc5dGUtN0ZYUy1XcWZRa2RmUmVnSVJfWE4yLXdYSFZwLXJKdlltcWVzTzAwSmd1V2dJOVVQUVBWbldScjhtZjM1SHhXblhFcWhIMVlWY1Y2NlYS00ZTE1LTQ0NWEtOTM0Ni02YTBhOGQxN2UxOTYvIiwib2lkIjoiYzE0YzFlYmEtYzExMS00ZmMxLTllYjAtYTJmNGMwNjg4MDEyIiwic3ViIjoiYzE0YzFlYmEtYzExMS00ZmMxLTllYjAtYTJkKgCbMg5jElY2I83cKpRos6Jti3SUYIVTYiyF__gMsKzCQWgRZFUWnTi7syaypCrPEExPw_OMRJMNMOrYixTBZjwUi0H6ThGNxQOMt5mXhzvlVYRMdyChdmv4r2-JK-LX9yjBN8BWG78e3FYhWQCRERh5H3zNpdX1ln79QY38mhn-XJViA2vX-VCYqZhoUo-c_iR-_HZ3CLCHxRxgRHtT_oGXuX1Kegxo3F6FsuQ2Vj1WT5VjCRGCi71pY_lU_EROzkLdefS84fur4jBawvd1ccCf8u9U0kYy3xu0m02wNxKPe2Weg"
}

Once I have the token, I am referring to this link and using below url to get the user list:

https://graph.microsoft.com/v1.0/users

and also passing the token in header but getting below error:

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "CompactToken parsing failed with error code: 80049217",
        "innerError": {
            "request-id": "f03e6cc4-1888-406d-9ee4-2558b96e7fb4",
            "date": "2019-06-03T09:22:30"
        }
    }
}

I am doing this from postman as of now but later have to do it from python script. Can anyone please suggest what is wrong here. Thanks

Md Farid Uddin Kiron · Accepted Answer · 2022-06-27T04:55:56.477

7

It seems you are trying to fetch user list using Microsoft Graph. To do that see the following steps:

Azure portal Permission:

Go to your Azure portal tenant and set below permission on "API permissions" menu. See the screen shot below:

See the Application Permission Like below:

Do the same for dedicated permission. See the dedicated permission below

Your Permission should look like below:

Request for Token:

Send request to your token endpoint with your credentials. Like below:

Decode Token and Check Permission:

Once you get your token make sure on https://jwt.io/ that your token contains required permission like below:

Request For User List

In this stage add your token on Type as bearer token, paste your token on Token text box and click send:

Get The Users List:

You will get your User List as specified in below screen shot.

edited Jun 27 '22 at 04:55

answered Jun 03 '19 at 09:52

Md Farid Uddin Kiron

16,817
3
17
43

When I click on `Add a permission` and select `Microsoft Graph`, it ask me for `Delegated Permissions` or `Application Permissions`. What should I choose.? – S Andrew Jun 03 '19 at 09:54
Application Permissions – Md Farid Uddin Kiron Jun 03 '19 at 10:03
Hi I have updated the answer please check the screen shot – Md Farid Uddin Kiron Jun 03 '19 at 10:07
The token which I was using has expired now. I am submitting the request to generate the token again but its giving me same token. Very strange. Do you have any idea on how to generate the new token again – S Andrew Jun 03 '19 at 10:13
Thanks I got it working. Just wanted to check if I want to create user, I need to set User.ReadWrite.All permission in ad app.? – S Andrew Jun 03 '19 at 10:21
Yeah `User.ReadWrite.All ` – Md Farid Uddin Kiron Jun 03 '19 at 10:22
No I have set User.ReadWrite.All and Directory.ReadWrite.All but getting `Insufficient privileges` error – S Andrew Jun 03 '19 at 10:35
Just decode your token on jwt and let me know the permission is available – Md Farid Uddin Kiron Jun 03 '19 at 11:40
Can you please let me know on how to decode it, I am very new to this. – S Andrew Jun 03 '19 at 11:51
Also can you comment here as I have created another question for it. https://stackoverflow.com/questions/56426417/how-to-create-a-user-using-azure-graph-api Thanks – S Andrew Jun 03 '19 at 11:52
I got it working too. I was using application permission but I had to use delegated permissions – S Andrew Jun 03 '19 at 11:57
I have similar setup in postman and getting the users in response too but not all the users from the Org. Any idea why it is not returning all the users? – Prateek Naik May 23 '22 at 10:12
Could you please post another question so that it can be checked there. – Md Farid Uddin Kiron May 24 '22 at 02:05

Joy Wang · Answer 2 · 2019-06-03T09:48:14.670

1

You could follow the steps as below.

1.In your AD App -> API permissions -> Add a permission -> select Microsoft Graph -> Application permissions -> User.Read.All -> click Add permissions -> click Grant admin consent for xxx

2.Use the client credentials flow to get the access token.

3.Then you could use the token returned by step 2 to call the MS graph api, it should work.

edited Jun 03 '19 at 09:48

answered Jun 03 '19 at 09:40

Joy Wang

39,905
3
30
54

I am also getting the token using the client credential flow. I have attached a screenshot of it in the question. Please let me know how do I use that token to further call the MS graph api.? – S Andrew Jun 03 '19 at 09:47
@SAndrew See the `step 1` in my reply, did you grant the `User.Read.All` permission for your ad app? – Joy Wang Jun 03 '19 at 09:49
Can you explain the step 3. Where did you added that token. I am bit new to this software Postman – S Andrew Jun 03 '19 at 09:49
@SAndrew See the screenshot in step 3, Click `Authorization` -> select `Bearer Token` -> paste your token -> `Send`, no need to write the `Authorization` manually in the header. – Joy Wang Jun 03 '19 at 09:51
When I click on `Add a permission` and select `Microsoft Graph`, it ask me for `Delegated Permissions` or `Application Permissions`. What should I choose.? – S Andrew Jun 03 '19 at 09:54
And lets say if I want to create and delete user as well, should I select `User.ReadWrite.All` – S Andrew Jun 03 '19 at 09:57
@SAndrew 1. we use `client credentials flow` here, so we need to select `Application permission`, 2. yes, you could find the permissions in the doc, from least to most, https://i.stack.imgur.com/m24u3.png – Joy Wang Jun 03 '19 at 09:58
Thank you. I am getting `Your access token has expired. Please renew it before submitting the request.`. How do I renew it. ? – S Andrew Jun 03 '19 at 10:01
@SAndrew Do step 2 again to request a new token. – Joy Wang Jun 03 '19 at 10:02
Yes I did that but its giving me same token again and same error that `Your access token has expired. Please renew it before submitting the request.` – S Andrew Jun 03 '19 at 10:04
@SAndrew Try to generate a new secret for your AD App, then use the new one. – Joy Wang Jun 03 '19 at 10:08
Very strange that its giving the same token even after using the new secret. – S Andrew Jun 03 '19 at 10:14

How to get a list of users from azure graph API

2 Answers2

Linked