0

I have problems subscribing to callRecords in customer constellation, there I get response status Forbidden (see at end of post).

I did this steps:

  1. register an APp Registration with CallRecords.Read.All and granted admin consent
  2. on trying to send the POST-request it worked in none of my coded programms but in Postman it worked with application permission.

It worked with Postman but not Azure Functions (started local) or other coded apps with Aquiring a fitting bearer token. I got Forbidden as Response message if send the Post-request with the token I got from program routines.

                HttpClient client = new HttpClient();
                HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, new Uri("https://login.microsoftonline.com/" + TenantId + "/oauth2/v2.0/token"));

                List<KeyValuePair<string, string>> parameters = new List<KeyValuePair<string, string>>();
                parameters.Add(new KeyValuePair<string, string>("client_id", ClientId));
                parameters.Add(new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"));
                parameters.Add(new KeyValuePair<string, string>("client_secret", ClientSecret));
                parameters.Add(new KeyValuePair<string, string>("grant_type", "client_credentials"));
                request.Content = new FormUrlEncodedContent(parameters);

                HttpResponseMessage response = await client.SendAsync(request);
                string data = await response.Content.ReadAsStringAsync();
                Token = JsonConvert.DeserializeObject<TokenResponse>(data);

Listing 1: Getting Access token

I analysed this token i get with jwt.ms (The ID's and other infos are marked with ***)

  "typ": "JWT",
  "nonce": "***",
  "alg": "RS256",
  "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
  "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680"
}.{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/***/",
  "iat": 1633425547,
  "nbf": 1633425547,
  "exp": 1633429447,
  "aio": "***",
  "app_displayname": "***",
  "appid": "***",
  "appidacr": "1",
  "idp": "https://sts.windows.net/***/",
  "idtyp": "app",
  "oid": "***",
  "rh": "***",
  "sub": "***",
  "tenant_region_scope": "EU",
  "tid": "***",
  "uti": "***",
  "ver": "1.0",
  "wids": [
    "0997a1d0-0d1d-4acb-b408-d5ca73121e90"
  ],
  "xms_tcdt": 1373376639
}.[Signature]

JSON-Info of the token

The difference between that token from code and the token I got from postman-app is SCP : "CallRecords.Read.All"

Then I found out that if i used app Registration with delegate Permission User.read.All works for me if I had an valid user is logged in the regarding tenant, aso creating a callrecord-subscription succeeded. But on the customer side we have only an app registration+secret with permission callrecords.read.all and User.read.all. in the customer case i get every time the token without the permission. And redirection to the postman callback-url is not possible in the tenant.

I read the documentation https://learn.microsoft.com/de-de/graph/sdks/choose-authentication-providers?tabs=CS#client-credentials-provider and corresponding links but I get not the overview what I have to do.

I tried the youtube video https://www.youtube.com/watch?v=Z1xFjmttEvY for logic apps sending this post too it - the steps are similar as customer app registration creation. But it failed too (same errror). I used https://graph.microsoft.com/v1.0/subscriptions with body:

{
    "resource": "/communications/callRecords",
    "changeType": "created",
    "clientState": "clientStateValue",
    "notificationUrl": " working URLendpoint>",
    "expirationDateTime": "2021-09-28T18:58:05.9125505Z",
    "latestSupportedTlsVersion": "v1_2"
}

{
  "error": {
    "code": "ExtensionError",
    "message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: The request is not authorized for this user or application.]",
    "innerError": {
      "date": "2021-10-05T21:47:03",
      "request-id": "aa624900-02bb-4b06-92ba-755889b1f459",
      "client-request-id": "aa624900-02bb-4b06-92ba-755889b1f459"
    }
  }
}

BadRequest. Http request failed as there is an error getting AD OAuth token: 'AADSTS7000112: Application '***'(***-***-***-***-***) is disabled. Trace ID: ***-***-**-***-**Correlation ID: ***-***-***-***-***Timestamp: 2021-10-05 22:58:29Z'.

Update this happened through Enable users to sign in but it does not harm Postman, it works to. Why is it so and why can I copy this behaviour?

Can please someone tell what I make wrong or what I must do so I can aquire an token as postman does it as requesting as an application?

ingo_ww
  • 171
  • 1
  • 13

2 Answers2

0

The permissions you are trying to add required admin consent. When not consented to/granted like in the screenshot below, AAD will ignore the resulting in an access token without the roles claim.

enter image description here

To get the access token to contain the claims make sure two things are well configured.

  1. Make sure the permissions are added for the app and consented to / granted by admin for the app an Azure AAD Portal enter image description here
  2. If the application and the users are in different tenants then ensure the application has an service principal in the user's tenant and has the permissions added and consented to.
Danstan
  • 1,501
  • 1
  • 13
  • 20
  • Thanks! at point 1: I have seen that admin consent was granted (as shown in your 2nd screenshot). Point 2 is the problem , and i don't know what the neccesary step.s. Ther are many way to create a service principal (powershell azure portal) , I found not the concrete way, how to do it and where . I plan to use function apps(azure functions) so i must create a service principal for the function app? I have never done it. and our developer for such admin things is temp. not available. – ingo_ww Oct 06 '21 at 16:21
  • Is the `TenantId` used in the token acquisition the tenant id that your app belongs to? – Danstan Oct 06 '21 at 17:09
  • Yes I know the problem we have a tenant for outlook, teams and other stuff and another for azure resources. From that I know the problem that the callrecords- App Reg must be in the teeams tenanat to find the resource. And yes on customer i use the customer tenant id too, but I am invited in the tenant and we got access to the a customer subscription but no right on the app registrations. we must say them what we need, so they had created ann App Reg and in web meeting I tell the the steps to add the **Callrecords.Read.All** and grant admin consent. But i have no account in their tenant. – ingo_ww Oct 06 '21 at 17:21
  • You are correct. In this case the best way to go would be to get the app registered in the same tenant as the one you are authenticating agains and that same tenant should be the one where the call records are located. – Danstan Oct 07 '21 at 04:30
  • Can you describe the steps how to create a service principal for a azure function (function app) or logic app so i can use authentificate as application? And can you say me what roles &rights my user need to that, otherwise I will asked a collegue and tell him what he should do. I think for creating service Princcipals very high rights are needed on subscription and resources. But if I know them i could get it for testing in our tenant. So then I can test it direct and say what steps must be done in customer tenant. I hope you can help me. – ingo_ww Oct 07 '21 at 05:53
  • the customer has on making changes unattended revoked the grant admin consent. But I could not control it (App registrations are not visible) so i see it was initially granted and I thought the error has a different source. But can anyone tell me why postman does't fail on disable for users to sign-in (see last screenshot in main post). – ingo_ww Oct 07 '21 at 13:54
0

The posted problem was only created through an unattended revoking of Grant Admin Consent.

So I will excuse for this posting because there was normally no reason. Without ability of seeing/checking the App Registration I could not see the Revoke of Consent.

I am Sorry for this unnecessary work of Respondents.

So generally the answer is correct.

ingo_ww
  • 171
  • 1
  • 13