0

My Azure app has the scope User.Read.All approved by an admin:

admin

I request the following scopes in my oauth registration:

scope:
  - profile
  - email
  - openid
  - offline_access
  - User.Read.All
  - Files.Read.All

And manage to successfully make the authorize call, getting the following response:

{
    "token_type": "Bearer",
    "scope": "profile email openid https://graph.microsoft.com/Files.Read.All",
    "expires_in": 3600,
    "ext_expires_in": 3600,
    "access_token": "...",
    "refresh_token": "...",
    "id_token": "..."
}

Why is User.Read.All not present in the scope of the generated token?

I also verified the token indeed doesn't grant me access to https://graph.microsoft.com/v1.0/users:

{
    "error": {
        "code": "ErrorInsufficientPermissionsInAccessToken",
        "message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",
        "innerError": { ... }
    }
}

Am I missing some configuration?

If I also request the https://graph.microsoft.com/.default permission in the scope, I do get a valid response from the /users endpoint, however it only contains my own user.

Mugen
  • 8,301
  • 10
  • 62
  • 140
  • Could you share the whole request for oauth registration? – user2250152 Oct 27 '22 at 06:49
  • `https://graph.microsoft.com/.default` in the scope requires to add `Application type permission --> User.Read.All` but in your screenshot, you only gave delegated graph api permission. – Tiny Wang Oct 27 '22 at 07:35
  • @user2250152 I'm using Spring Security to request registration. Its just the scope I mentioned plus clientId, clientSecret – Mugen Oct 27 '22 at 09:09
  • @TinyWang the permission is in graph api, its just short for `https://graph.microsoft.com/User.Read.All`, like Files – Mugen Oct 27 '22 at 10:19
  • Are you asking for the `User.Read.All` in your authorization request? Not in your app registration, but in your login (token) request? I mean, if you don't ask for it, then you won't be given it (unless you ask for the '.default') – Nikolay Oct 27 '22 at 13:03
  • @Nikolay I do ask for it, I do ask also for `Files.Read.All` and get them, although no mention of this permission in app registration. – Mugen Oct 27 '22 at 13:38
  • @Mugen, can you please share the client request id and timestamp of the query – Mehtab Siddique Oct 31 '22 at 05:52

1 Answers1

0

The problems with my setup were:

  • Should use /organizations/ tenant instead of /common/

  • Should use Delegated permissions instead of Application

  • Specify the scope https://graph.microsoft.com/.default instead of specific graph scopes

Mugen
  • 8,301
  • 10
  • 62
  • 140