2

I am very new to MS Graph and Office 365 and have made good progress. I am an O365 Global Admin for my organisation (a school) and have app development experience. There is a lot of scope for using MS-Access databases in our context for "globally" managing the O365 content. eg contacts, distribution lists and planner tasks. We want to manage these from an on-premises ms-access database or two and with an admin person authenticating the ms-graph activity, ideally.

So, to test, I created a new db and have managed to get it to consume the following endpoint using VBA but with no user authentication for now.

https://graph.microsoft.com/v1.0/groups

However, when I try

https://graph.microsoft.com/v1.0/planner/plans/with my plan id here

I get 401 - Unauthorized: Access is denied due to invalid credentials.

So, clearly my Application registration is wrong or my authentication or both! I have spent hours searching for examples and help and because of the evolving nature of the ecosystem I am finding it pretty hard to work out what I should do now (as opposed to a year or two ago).

The authorisation that generates the access_token that works to allow me access to the groups is:

POST 
https://login.microsoftonline.com/{my tenant id here}/oauth2/token

grant_type=client_credentials
client_id={my client id}
client_secret={my url encoded secret}  resource=https://graph.microsoft.com

but using that same access_token for the planner tasks throws the 401 error.

My app permissions look like this: Azure Portal API Permissions I presume this is because of the difference between the Application and Delegated types but have not fully grasped it all yet. And, I suspect I am using the wrong authentication flow anyway. :-(

So, my questions are: 1. Do my permissions look right? 2. Is my authentication flow correct? Should I be using these instead? ie have I been working from old information?

https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/authorize 
https://login.microsoftonline.com/{my tenant id here}/oauth2/v2.0/token

As you can tell I have become somewhat confused. If anyone can point me in the right overall direction given what I am attempting that would be so helpful.

Thanks so much, Murray

braX
  • 11,506
  • 5
  • 20
  • 33
Murrah
  • 1,508
  • 1
  • 13
  • 26
  • Are you sending your access token in the request header? – PGHE Aug 05 '19 at 02:14
  • Thank you. Yes, like this: `httpReq.setRequestHeader "Authorization", "Bearer " & authToken`. Same for accessing Groups (which works, status 200) and Planner/plans (which throws the 401 status). – Murrah Aug 05 '19 at 03:10

1 Answers1

1

1. Do my permissions look right?

Yeah undoubtedly, your azure portal permission seems alright. You need dedicated permission for that also need to grant admin consent which you have done perfectly shown on screen shot.

2. Is my authentication flow correct?

As you are using Client Credentials Grant Flow request format seems alright. But I doubt this flow is suitable for the API you are trying to call. because this API requires dedicated permission.

3. Should I be using these instead?

Since this API need dedicated permission you could use authorization code grant flow.

Follow below steps to get your token using Authorization Code grant flow

Get Authorization Code:

https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id={ClientId}&response_type=code&redirect_uri={redirectURI}&response_mode=query&scope=https://graph.microsoft.com/.default

Request Token oauth2/V2.0/token with your code:

Request URL: https://login.microsoftonline.com/common/oauth2/V2.0/token Or https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/V2.0/token

Method: POST

Request Body Format

client_id:Your_Clinet_Id
scope:https://graph.microsoft.com/.default
redirect_uri:Your_Portal_Redirect_URI
grant_type:authorization_code
client_secret:Your_Client_Secret
code: Paste Code Here

Decode Token:

You could decode your token on https://jwt.io/ and make sure you have required permission on your azure portal.

4. Have I been working from old information?

No, Information has no issue so far I have gone through.

Note: For for details implementation of Authorization Code grant flow you could take a look official docs

Md Farid Uddin Kiron
  • 16,817
  • 3
  • 17
  • 43
  • Thank you so much! I will work through this and report back! Much appreciated. :-) – Murrah Aug 05 '19 at 07:03
  • No worries , I am here to help you as best I can – Md Farid Uddin Kiron Aug 05 '19 at 07:17
  • Farid Thanks. Making good progress now. Once I more fully understand what I am doing and formalise my code I will write a more detailed article with code samples for MS-Access VBA. I can now get groups, plans, tasks and contacts so it looks like the authentication and permissions is solved using the `Authorization Grant Flow` as you suggested. :-) – Murrah Aug 06 '19 at 05:44
  • Done. Yes, thank you. I will add a link to more details over coming days. – Murrah Aug 06 '19 at 11:16
  • Sure, I will include it on my answer. Thanks for your collaboration. – Md Farid Uddin Kiron Aug 06 '19 at 11:36
  • For a followup related question (deleted by SO) please see: https://stackoverflow.com/questions/57391597/ms-graph-api-does-the-authorization-flow-need-to-start-with-a-browser-call-to-g – Murrah Aug 07 '19 at 21:35