1

Edited on 17.02.2020

We develop desktop application, which utilizes the Graph-API to access information form OneDrive, Teams and other information.

The app is registered as multi tenant application in AAD. The app needs admin consent to gain all the privileges (Delegated). We rolled out to several customers without issues.

One of our customers get a 400 BAD Request when accessing https://graph.microsoft.com/v1.0/me/joinedTeams.

I had the chance to follow up on this problem. I used postman to investigate further.

This are the permission from the bearer token parsed with https://jwt.io.

"scp": "AllSites.Manage Files.ReadWrite Group.ReadWrite.All MyFiles.Read MyFiles.Write Notes.ReadWrite.All openid profile Sites.ReadWrite.All User.Read User.Read.All email"

So as I stated above the /v1.0/me/joinedTeams Endpoint does not work.

I used /v1.0/me/memberOf to find all groups the user is a member of.

I picked a group-id from a group which has "resourceProvisingOptions" : ["Team"] and the user was owner of (I checked it via ms teams desktop client).

I tried /v1.0/Groups/{myId} and got a result.

When I tried /v1.0/Teams/{myId} I got the following response:

Response:
{
  "error": {
    "code": "AuthenticationError",
    "message": "Error authenticating with resource.",
    "innerError": {
      "request-id": "4863dd3c-5d14-4fa1-9f1d-d33b75c9cb72",
      "date": "2020-02-11T10:47:26"
    }
  }
}

So I checked /v1.0/Groups/{myId}/members and the user is listed as a member of the group, just to be sure.

Is there a way to block parts of the graph-api (Teams policy, AD policy)? Why is access via Groups-Endpoint allowed and access via Teams-Endpoint not authenticationed? Could this be a license problem, although the ms-teams desktop client is working?

Any help is appreciated. :-)

Orignial Post for reference

Now we have a user whom gets a 400 BAD Request when accessing teams-API. The consent has been granted by the administrator.

We took a look at the returned jwt-token and the the User.Read.All has been granted.

The access to OneDrive works fine for this user. Hence the token should be valid and correctly attached to the request.

But when access the /me/teams a bad request is returned

The call returns the following exception

Status Code: BadRequest
Microsoft.Graph.ServiceException: Code: AuthenticationError
Message: Error authenticating with resource.

Inner error

   bei Microsoft.Graph.HttpProvider.<SendAsync>d__18.MoveNext()
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei Microsoft.Graph.BaseRequest.<SendRequestAsync>d__35.MoveNext()
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei Microsoft.Graph.BaseRequest.<SendAsync>d__31`1.MoveNext()
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei Microsoft.Graph.UserJoinedTeamsCollectionRequest.<GetAsync>d__4.MoveNext()
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei yourMail.Graph.Service.GraphAccess.TeamsAccess.<GetMyTeamGroups>d__4.MoveNext()

We are using microsoft.graph (from Nuget) Version 1.17

GraphServiceClient graphClient = CreateGraphClient();
IUserJoinedTeamsCollectionPage result = await graphClient.Me.JoinedTeams.Request().GetAsync();
return result.ToList();

Additional Code

protected GraphServiceClient CreateGraphClient()
{
//Get JWT Token via Microsoft.Client.Identity
string accessToken = AccessTokenProvider.GetAuthenticationToken(Permissions);

if (accessToken == null)
{
      throw new InvalidOperationException("Authentication failed.");
}

// Add bearer token to request
IAuthenticationProvider authenticationProvider = CreateAuthenticationProvider(accessToken);
var result = new GraphServiceClient(GraphEndpoints.BetaApi, authenticationProvider)
   {
   PerRequestAuthProvider = () => authenticationProvider
   };

return result;
}

private IAuthenticationProvider CreateAuthenticationProvider(string accessToken)
        {
            var result = new DelegateAuthenticationProvider((requestMessage) =>
            {
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue(CoreConstants.Headers.Bearer, accessToken);
                return Task.FromResult(0);
            });
            return result;
        }

The user can access teams within the browser and the desktop client. Teams should be enabled in the users tenant and a license should be present.

  • Are there additional AAD Polices which can block access to Teams?
  • Is there a way to debug this? For example can the tenant admin enable a log file which states why the access has not been granted?
Jürgen Haverkamp
  • 13
  • 3
  • Could you please provide the detailed error message? Besides, you can test the api vai [Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) – Jim Xu Oct 08 '19 at 08:26
  • @JimXu I added the stack trace to the original question. But it doesn't say much. I don't know if I can persuade the tenant admin of the customer to grant the needed rights to the Graph Explorer application for the whole tenant, probably not. – Jürgen Haverkamp Oct 08 '19 at 10:56
  • Could you tell me which type of permissions you use? Delegated or Application? – Jim Xu Oct 08 '19 at 12:46
  • @jim-xu We are using delegated permissions. – Jürgen Haverkamp Oct 08 '19 at 12:57
  • ok. Could you please tell me how you create graph client.? Let me try it on my side. – Jim Xu Oct 08 '19 at 13:23
  • @JimXu I added the code for CreateGraphClient. But it works in our tenant and for all other customers. – Jürgen Haverkamp Oct 08 '19 at 19:04
  • According to my test, your code is right. Could you please use fiddler to catch your request to get the error message. Besides, why do you use the beate version? As far as I know, the api has v1.0 version. In normal, we need to use v1.0 version in production environment. – Jim Xu Oct 09 '19 at 09:45
  • Did you ever solve this? I seem to be having the same/similar problem. – Jason V Apr 23 '20 at 02:47
  • No, I did't. At that point our lead lost interest. Let me know, if you find out what is causing this. Thx. – Jürgen Haverkamp Apr 27 '20 at 07:38

0 Answers0