I need to add an integration for One Drive to an app that I've already integrated with Outlook.
The problem is that after adding Files.ReadWrite.All and granting permissions in both App Registration and Enterprise Application, it doesn't appear in the scope of the access token, so the token isn't being updated with the new permission.
Not sure if it's important, but Calendars.ReadWrite (for Outlook) appears in both Admin & User consent in the Enterprise App, while Files.ReadWrite.All only appears in Admin consent. They're both present in the App Registration.
Any ideas?
These are the permissions:
And this is the token response:
Comment moved to answer:
After my test, it does appear in my access token.You need to confirm that your token is obtained by the application that you granted permission to. Check the appid in the token to make sure it matches the application in Azure ad. If the application id is the same, try to request an access token again and parse it.
Related
This is an issue I'm seeing for MSAs (Personal OneDrives)
I've created an AAD App registration with the User.Read and Files.ReadWrite.AppFolder Graph API permissions. The application is intended to be used to upload scanned documents from a scanner to the user's OneDrive.
I get an Access Denied exception when calling the graphClient.Drive.Special.AppRoot.ItemWithPath(<random filename>).CreateUploadSession().Request().PostAsync() API. However, if I add the Files.ReadWrite.All API permission to the AAD App registration, have a user consent to that permission, upload a file to the app folder, remove the Files.ReadWrite.All API permission, and reauthenticate the user, calls to graphClient.Drive.Special.AppRoot.ItemWithPath(<random filename>).CreateUploadSession().Request().PostAsync() work as expected.
This seems to be an issue with the initial provision of the app folder.
Could you please try by adding Files.ReadWrite permission in place of Files.ReadWrite.AppFolder
ref doc - https://learn.microsoft.com/en-us/graph/api/driveitem-post-children?view=graph-rest-1.0&tabs=csharp
I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I have created a native application in the Application Registration Portal at https://apps.dev.microsoft.com
I have configured an Xcode project based on the MSAL framework for iOS, and am able to consume data from MS Graph when only the user's consent is required (like User.ReadBasic.All)
However, if I want to access the User.Read.All scope, it doesn't work. I am met with the requirement for an admin to give access (as expected), but my administrator is not able to find the place to give the necessary permissions.
Logging in with administrator credentials when prompted for them in the webview 'grant access' screen (see screenshot below) doesn't work (redirects back to the same screen again, seemingly not accepting the admin credentials as admin credentials).
We are not sure whether that is the way to grant the application the permissions anyway, since the documentation is not explicit about how the admin can grant the necessary permissions.
We cannot find the place in Azure AD where the admin permission can be granted.
There is a lot of documentation about how to use the MSAL framework, but there seems to be that step missing.
After adding the microsoft graph permissions that your app requires in the application registration portal, you could manually request admin consent by redirecting to admin consent endpoint in browser:
GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
Please click here for more detail about admin consent endpoint .
For iOS the redirect URL needs to match the URL scheme registered in the app, which is msal{client-id}://auth if you used guided setup when creating the app on apps.dev.microsoft.com. It only works if you put the admin consent endpoint above into the browser on the phone where the app is installed, since otherwise there is nothing to redirect to.
Tool: postman
Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
Got token back
Used the token and did a GET on a User OK
Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.
After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App