How to get Organization details in AzureChina Region using Microsoft Graph APIs in Postman using Device code Authentication?

Question

Trying get Organization details in AzureChina Region using Microsoft Graph APIs in Postman using Device code Authentication

The Steps I am following are as below in postman

Create Device Code using power-shell client ID https://login.chinacloudapi.cn/common/oauth2/v2.0/devicecode?client_id=1950a258-227b-4e31-a9cf-717495945fc2&scope=https://microsoftgraph.chinacloudapi.cn/.default
Login as Global Administrator from browser using received short code https://microsoft.com/deviceloginchina
Get the Access token https://login.chinacloudapi.cn/common/oauth2/v2.0/token using
- grant_type = urn:ietf:params:oauth:grant-type:device_code
- client_id = 1950a258-227b-4e31-a9cf-717495945fc2
- device_code= "Device Code Received From First Request"
Now trying to get the to get the organization details using access token received in above step using API https://microsoftgraph.chinacloudapi.cn/v1.0/organization

This request is failing with following error

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2021-02-02T13:47:13",
            "request-id": "c94777b2-2af5-4827-812d-6399f9621ee3",
            "client-request-id": "c94777b2-2af5-4827-812d-6399f9621ee3"
        }
    }
}

It will be helpful if can point me the failure reason for getting organization details

Note :

I am able to get the response properly in postman if I create access token using AZ cli utility and use it in postman
Get organization api works with graph explore (china) also

[Decoded Access Token screen shot] [1]: https://i.stack.imgur.com/npKG7.png

Use https://jwt.ms/ to parse your access token and provide screenshots. — Carl Zhao, Feb 03 '21 at 02:47
Image link for decoded access token screen shot : https://i.stack.imgur.com/npKG7.png — Mahesh Surkar, Feb 03 '21 at 05:11
Try to grant `Organization.Read.All` **delegation permission** for your application. — Carl Zhao, Feb 03 '21 at 06:25

score 0 · Answer 1 · answered Feb 03 '21 at 08:41

0

As your error message says, you lack the permission to read organization information. According to the screenshot of your token, you currently only have the permission to read audit log data.

Therefore, you need to grant Organization.Read.All delegation permission for the application, and grant the admin consent for the permission. Finally, you will be able to call the api to read the organization information.

answered Feb 03 '21 at 08:41

Carl Zhao

8,543
2
11
19

1. I am using Application ID : **1950a258-227b-4e31-a9cf-717495945fc2** which is built-in app for Azure Power Shell and did not find this App in Azure portal to change/grant the permissions. – Mahesh Surkar Feb 03 '21 at 09:36
2. Going forward I will need to use this Azure power shell application **1950a258-227b-4e31-a9cf-717495945fc2** to create Post API for creating new Tenant Application using API : **https://microsoftgraph.chinacloudapi.cn/v1.0/applications** – Mahesh Surkar Feb 03 '21 at 09:36

score 0 · Answer 2 · answered Feb 05 '21 at 08:36

AZURE_CLI_CLIENT_ID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"

It worked (tested for Azure China, Azure Public cloud)

AZ CLI (Microsoft Python utility/library) uses the same

https://azuresdkdocs.blob.core.windows.net/$web/python/azure-identity/1.1.0/_modules/azure/identity/_constants.html

How to get Organization details in AzureChina Region using Microsoft Graph APIs in Postman using Device code Authentication?

2 Answers2