I have asp.net core web api which is talking to MS Garaph Api.I have Implemented ROPC using service account to talk to onedrive. I have created the MS graph Api app in MS Portal 2 years back using the same service account. The the portal is obsolete now and the App is moved to Azure Portal. But i can get the Bearer token using ROPC and consuming Graph api and its working good.
Now i tried to mimic the same, i have created a new app in azure portal with same credentials and similar Metadata.The service account user type is member in azure Portal. I am getting the following error for the new App
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID
any ideas would be appreciated.
Thanks in advance
Subbiah K
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to here process.
Then follow this process to grant administrator consent to the app:
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
In the Azure portal, I registered the application for testing and used User.Read permission to demonstrate:
Then use the ROPC flow in postman to get the access token:
Related
The use case is quiet simple, I want to read and write to calendars on a daemon (backend workflow) from personal Microsoft account or azure AD account.
Then I registered an Enterprise application in Azure Active Directory admin center with:
the account type « Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) ».
permissions on read write on calendars + read on user
a generated client secret
a redirect uri
For all accounts from the same Azure Active Directory, the authentication with the client secret and the impersonation of the targeted email works well.
But for personal Microsoft accounts it is not. If I understood correctly I need to use the client credentials flow to grant the user. Then the user need to go on the admin consent url as explained: https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>&state=12345&redirect_uri=<redirect_uri>.
But when logging in with a personal account it results in a redirection to the specified redirect uri with the error:
AADSTS500200: User account '{EmailHidden}' is a personal Microsoft account.
Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization.
Try signing out and signing back in with an organizational account.
Research
I tried some solution of the error AADSTS500200 with this article: https://github.com/MicrosoftDocs/SupportArticles-docs/blob/main/support/azure/active-directory/error-code-AADSTS50020-user-account-identity-provider-does-not-exist.md (note that the error number is missing a last zero). But I still receive the same error or an other error Needs admin approval when the personal account is invited.
Needs admin approval (french only)
Question
Is it possible to read data on personal Microsoft account ? How to achieve this ? Is there any other way ?
It is not possible to use Microsoft personal accounts with the client credentials flow.
The solution is to use the authorization-code flow and use the scope offline_access during the authorization request and the token request. So that the refresh_token that can be used to regenerate new refresh_tokens.
We have to generate an online meeting request from our Dynamics CRM System. We tried using the Microsoft graphs API, and were able to generate the token. However while submitting the request, we get a 403 Forbidden Error. We have registered our application in Azure and also given the required API permissions.
I have attached the screenshots of our testing. I am testing this on my personal Azure test account.
Screenshots
The user has to consent the permission:
Consent experience
Azure AD will sign the user in and ensure their consent for the permissions your app requests.
At this point, the user will be asked to enter their credentials to authenticate with Microsoft. The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.
I am planning to integrate Azure Authentication in my Drupal 7 site. I got the Token endpoint URL, Client ID, Client secret from Azure Support team for my site URL. When i tried to connect getting below error "Access token requested for user XXXXX: FAILURE"
Thanks in advance
Girija
This error can occur for a few reasons:
The client application is not registered in the Azure AD or is not added to the user's Azure AD tenant. Ensure that you have registered the application in the correct tenant and ensure that the client id, client secret, and tenant ID in your application registration match what you have in your web.config or app settings.
The error usually can also mean you got an incorrect access token for the resource. Are you using Graph API? I have seen this error before when someone tried to get the access token for Azure AD Graph API but used that access token to access Microsoft Graph API. The same could be going on with your drupal site.
Can you please post the full error message here?
I am new to Microsoft Graph and SharePoint Framework. Recently developing spfx webpart with Graph API's integration.
I have registered the app in https://apps.dev.microsoft.com portal and AAD implementation through hello.js.
The first time browsing to the page, it redirects to Microsoft app login page and prompt for credentials.
Once authentication successful then it's working fine, from then on it does not prompt for credentials.
Is there any possiblities to access MS Graph API directly using Application Id, and Secret without prompting for login?
Yes, you will want to use the client credential flow to do this. You will only have access to organizational data (/me won't work for example, but /users will). There is an article on getting access here.
You will need to log in as an admin one time per application to authorize your app to use your tenant's data. You can do this at:
https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
Tool: postman
Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
Got token back
Used the token and did a GET on a User OK
Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.
After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App