Azure Logic App Giving Incorrect O365 Graph Auth Token

Question

Within our azure logic app we are looking to pull down O365 groups from Microsoft Graph but are getting a 'Forbidden' error when trying to pull the groups. The token in the logic app run is not attached to the service account which has all the permissions. When recreating this locally with the same uri on POSTMAN I am able to get a valid token which shows all of the correct permissions and I am prompted to log in to the service account or else I cannot get a token at all. I do not know why the http request in the logic app is giving an incorrect token when the POSTMAN call will. It displays the token in azure logic app result as a sanitized version.

HTTP Call to Get Azure Token

We were expecting to receive an auth token that when decoded showed all of our proper permissions but this can only be recreated in POSTMAN not in azure logic app.

Answer 1

I was able to reproduce the issue and got the result successfully-

Here I am trying to get the User details using Microsoft Graph API as per MS Docs and URL is https://graph.microsoft.com/v1.0/me. Because to get the group details from Graph API, I need to have the privileges to grant admin level consent while adding API permissions in my Azure AD account.

Add the Group.Read.All permission in your Azure AD application to access the Groups and it needs Admin consent.

As I don't have permission to grant the consent, so I am trying to get the User details by adding user.read permission which doesn't require Admin consent.

My workflow looks like below-

In When a HTTP request request is received trigger, I am taking the below schema.

{
"properties": {
"client_id": {
"type": "string"
},
"client_secret": {
"type": "string"
},
"tenant_id": {
"type": "string"
}
},
"type": "object"
}

I have added the HTTP action to get the Bearer token.

Then added Data Operation - Parse JSON action, using the following schema

{
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "string"
},
"expires_on": {
"type": "string"
},
"ext_expires_in": {
"type": "string"
},
"not_before": {
"type": "string"
},
"resource": {
"type": "string"
},
"token_type": {
"type": "string"
}
},
"type": "object"
}

Added Initialize variable action and also Set Variable action.

At last Added HTTP action to pull the user details from Graph API

After triggering the logic app, I am getting the user details-

Check the Output in the Run History-