Microsoft Graph API not able to use mail.read - oauth-2.0

Within my application I generate an access token via
GET https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&response_type=code&response_mode=query&scope=user.read+mail.send+mail.readwrite&redirect_uri=https%3A%2F%2Fgraphresponse%2F&prompt=consent
to use the code on
POST https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
with application/x-www-form-urlencoded: grant_type=authorization_code&redirect_uri=https%3A%2F%2Fgraphresponse%2F&client_id=<CLIENT_ID>&scope=user.read+mail.send+mail.readwrite&client_secret=<CLIENT_SECRET>&code=<CODE>
So far so good, i receive a bearer token like this (formatted for readability):
{"token_type":"Bearer",
"scope":
"Mail.Read Mail.Read.All Mail.Read.Shared
Mail.ReadBasic Mail.ReadWrite Mail.ReadWrite.Shared
Mail.Send openid User.Read profile email",
"expires_in":3600,
"ext_expires_in":3600,
"access_token":"<TOKEN>"
}
and I can use the following endpoints
GET http://graph.microsoft.com/v1.0/me
POST http://graph.microsoft.com/v1.0/me/sendMail
POST http://graph.microsoft.com/v1.0/me/messages
but I get the following error
GET http://graph.microsoft.com/v1.0/me/messages
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "xxxxxxx",
"date": "2019-03-12T13:38:47"
}
}
}
Did I miss any configuration that is neccessary explicitly to read the current users inbox, or is there any admin configuration required?

As you are trying with authorization code flow so you need follow the below
step to access
https://graph.microsoft.com data.
Note:
Make sure you have office 365 user account registered
All Required permission grant
As the document explain first you need token request code
response_type = code
To do that there are two ways.
From postman request and From browser with your required credentials
Here I would show postman workaround you could also try it pasting on browser.
Postman Code Access Example
Here make sure in portal you have configure this URL as expected see the below screen shot:
To get v2.0 token request access code set request endpoint to:
https://login.microsoftonline.com/common/oauth2/v2.0/token
Content type to : application/x-www-url-form-urlencoded
See the screen shot below:
Now Click on Authorization tab and select type OAuth 2.0 and click on Get New Access
Token. See the screen shot below:
You Will prompt postman popup like below:
Enter Your necessary information here and click Request Token
In postman console body segment you will get access code for token request. See the screen shot below:
Copy the code for next use.
Now add a new tab on post man for token request like below:
In response you will get you access token like below:
Now with this token request to your expected endpoint for example http://graph.microsoft.com/v1.0/me
See the screen shot below:
In response you will get your endpoint data as expected
See the screen shot below :
If you have any more question just let me know Thank You.

Related

Calling MS Graph Reporting methods via postman

Problem Description
I was trying to call this GET via Graph Explorer
https://graph.microsoft.com/v1.0/reports/microsoft.graph.getM365AppUserCounts(period='D7')
But it fails the following error:
The response content is not available in Graph Explorer due to CORS policy. You can execute this request in an API client, like Postman. Read more about CORS and understand how it works here.
What I've Tried so Far
So I went ahead and tried to set up a new application registration in Azure Portal, with a client secret. I've tried both Id Tokens and Access Tokens but I get the same results.
As far as API permissions, I'm not sure what I'm supposed to add to access the reports about M365 application usage. In my case I want to find out the forms usage.
I then forked the MS Graph collection into my local postman workspace and have the following values in the Authorization tab for the collection :
Access Token URL: https://login.microsoft.com/<tenantID>/oauth2/token
Client ID: (new app registration id)
Client Secret: (new secret)
It seems to generate a token no problem. I created a custom query under the MS graph collection and the authorization is set to inherit from parent. And when I check the headers tab, I can see it's using an Authorization header with the token.
But I consistently get the following error message in postman:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2022-10-26T19:52:48",
"request-id": "ggg-3d7b-ggg-a748-ggg",
"client-request-id": "sdfg-3d7b-47d9-a748-sdfg"
}
}
}
Specific questions
What API permissions are needed to run those reports?
any idea on why I'm getting the invalid token error? Is it because I am missing scope?
If i need scope what value do i supply?
Any help would be appreciated.
EDIT 1
I've updated the scope value in Postman to use:
https://graph.microsoft.com/.default
I've updated my Azure Application Registration to move all API permissions except "Reports.Read.All - Application"
In the specific Postman request, under the authorization tab, the value is set to "inherit from parent". Under "Headers" tab, I can see it adds the "Authorization" header with the value of my token. When I click on the "Go to authorization" hyperlink from the headers page, it takes me to the correct Authorization configuration section in the top level folder of the mS Graph collection.
After making these changes, I'm still getting the same error message "message": "Access token validation failure. Invalid audience.","

Microsoft Graph Mail Query - Getting "ErrorAccessDenied"

My company is using Microsoft 365 Business Standard licenses. We are using email through these accounts. We also have a few shared mailboxes. We are trying to create an app that uses the microsoft graph application permissions (rather than the delegated permissions) so the application can access one of the shared mailboxes without needing to be authenticated under the current user.
This is the steps we have taken so far:
Within Microsoft Azure, we have an application in which we have granted application api permissions for Mail.Read, and we have accepted Admin consent.
We authorized as an app, not as a user, in the application using this endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, pointing out the required parameters for sending a request. Then, MS API builds this link:
https://login.microsoftonline.com/{some_string}/oauth2/v2.0/authorize?state={some_string}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&redirect_uri=http%3A%2F%2Flocalhost&client_id={some_string}
When we follow the link, we get to the standard authorization form on the site. After we log in, a link is created, where we take the code and create the token: http://localhost/?code={some_string}&state={some_string}&session_state={some_string}
When we try to hit this endpoint: https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages, we get this response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2020-09-14T11:22:30",
"request-id": "{some_string}",
"client-request-id": "{some_string}"
}
}
}
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Any help or direction on what needs to be done to make this query work would be greatly appreciated. Thank you!
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Yes you would need to send the AccessToken in the Authorization header, you should also include the x-anchormailbox header which helps route the request to correct mailbox eg
GET https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
X-AnchorMailbox: sharedmailbox#domain.com
The other thing you might want to check is to ensure you have the correct scopes in your token you can use https://jwt.io/ for that
In order to use application permissions you will need to use the client credentials auth flow (not the authorization code auth flow which uses delegated permissions). To get a token make a request against "/oauth2/v2.0/token" and specify "grant_type=client_credentials" in the request. See examples of client credentials auth flow here for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

Either scp or roles claim need to be present in the token

I'm trying to build an application that uses Microsoft Graph to automatically create and read pages in OneNotes stored in SharePoint 365.
I can successfully do this using Graph Explorer as long as I am logged in, but can't get it to work using a bearer token in Postman
The error I am getting is:
Either scp or roles claim need to be present in the token
I successfully get an access token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
And passing in the grant_type, client_id, client_secret, code, redirect_uri and scope
Then I perform the following call, with the bearer token included in the header:
https://graph.microsoft.com/v1.0/sites
With the following getting returned:
{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"request-id": "fa442c72-4ffe-493b-a33a-8e9e78c94f09",
"date": "2018-01-19T09:56:34"
}
}
}
I have set up graph permissions as per below. I have also tried enabling ALL Notes permissions configured with the same result though
Graph Permissions Image
One post I found said to check http://jwt.calebb.net/ what is returned in the token, and I found that it doesn't contain any roles, so I wonder if this is the problem.
You may need to state your tenant in the url when getting the token :
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Thanks to Tsuyoshi Matsuzaki as seen here : How to use Application Permission with Azure AD v2
Your application can get access token using the following HTTP request
(OAuth). Note that you cannot use
https://login.microsoftonline.com/common/oauth2/v2.0/token (which is
commonly used) for getting the token. Instead, you must use
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, which
identifies the specific tenant.
The call that you mentioned "https://graph.microsoft.com/v1.0/sites" is not valid.
Also request to ~/sites/... routes may need other permissions in addition to Notes.ReadWrite.
Recommend to follow steps mentioned in the following references:
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

Microsoft Graph API BadRequest Current authenticated context is not valid

I am trying to develop a simple background app to connect to my onedrive account (work) and regularly download some files.
I followed this tutorial https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
I have registered the app here https://apps.dev.microsoft.com/portal/register-app
I have written down the client_id and client_secret
To get an access token I make a POST request to
https://login.microsoftonline.com/common/oauth2/v2.0/token
with the following form encoded data
{
'client_id': 'clientid here',
'client_secret': 'secret is here',
'scope': 'https://graph.microsoft.com/.default',
'grant_type': 'client_credentials',
}
I get back an access_token
{'ext_expires_in': 0,
'token_type': 'Bearer',
'expires_in': 3600,
'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciO---SHORTENED FOR BREVITY'}
Next I make a GET request (with Bearer header properly set) to https://graph.microsoft.com/v1.0/me
and get this eror response (which I get for any endpoint fwiw)
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "91059f7d-c798-42a1-b3f7-2487f094486b",
"date": "2017-08-05T12:40:33"
}
}
}
I have these permissions configured in the app setting
Any ideas what might be wrong?
I'll file a bug to improve this awful error message. The problem is that you are making a request using application permissions (client_credentials flow) - where there is no signed-in user context. Your request is to /me, and /me is basically an alias for the signed-in user - and in this case there isn't one!
You should try a call to https://graph.microsoft.com/v1.0/users instead. But, before you do that. In the app registration portal, you've selected delegated permissions, but you are calling with application permissions. You should remove the delegated permissions, and select the appropriate application permissions - to call users, select User.Read.All for example. Then make sure to consent/reconsent your app by going to the /adminconsent endpoint.
Please also read more on permissions and delegated and application permissions here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
Hope this helps,
i used https://graph.microsoft.com/v1.0/users/{{Emailid}}/messages to get all the messages in my inbox
In clientCredential flow you are accessing as an with Client secret or with client certificate . So Graph API no linger understands who is me. So you need use https://graph.microsoft.com/v1.0/users/<Your_userId> or https://graph.microsoft.com/v1.0/users/<your_userprincipalname>.
eg.https://graph.microsoft.com/v1.0/users/1sd1353as..
or
eg.https://graph.microsoft.com/v1.0/users/John_doe#contso.com
Reference: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

How to access another user's data via the Graph API?

Using the Graph API and related authentication/authorization flows, how can I access data of all users in an organization? Also, multiple organizations/tenants need to be able to use the app.
As an example: I have an app which needs to read events from all calendars of all users under contoso.onmicrosoft.com. I would like that jack#contoso.onmicrosoft.com, the administrator, authorizes the app which will then be able to read the mentioned the data. Using the Managed API this can be easily done via impersonation.
However, I am trying to do the same with Graph API and OAuth, but I can't find a straight forward solution, or I must be missing something very obvious. I have created an app through manage.windowsazure.com (multi-tenant), and configured it so that it requires Microsoft Graph API (all application and delegated permissions).
I did the following:
1) Point jack#contoso.onmicrosoft.com towards https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=<my redirect url>&client_id=<my client id>
2) Jack authorizes the app
3) I get back: <my redirect url>/?code=<my authorization code>&session_state=<blah>
4) I send a POST request like below:
POST https://login.microsoftonline.com/common/oauth2/token
Headers: content-type: application/x-www-form-urlencoded
Body:
grant_type=authorization_code&code=<my auth code from step above>
&redirect_uri=<my redirect url>
&client_id=<my client id>
&client_secret=<my client secret>
&resource=https%3A%2F%2Fgraph.microsoft.com%2F
5) When I do the following:
GET https://graph.microsoft.com/v1.0/users/jack#contoso.onmicrosoft.com/messages
Headers: Authorization: Bearer <auth token from step #4>
I get a 200 OK response with the messages.
When I do the following:
GET https://graph.microsoft.com/v1.0/users/anyotheruser#contoso.onmicrosoft.com/messages
Headers: Authorization: Bearer <auth token from step #4>
I get a 403 Forbidden response with:
{
"error": {
"code": "ErrorAccessDenied",
"innerError": {
"date": "2016-06-07T08:47:27",
"request-id": "5b629e30-e6bd-474d-b3dd-8ce25c5ad1c4"
},
"message": "Access is denied. Check credentials and try again."
}
}
The flow/URLs you've referenced are for the authorization code flow which leverages delegated scopes.
A) If you want the app to only work (i.e. access all calendars) for admins then you are using the right flow.
B) If you want the app to work for all users after the admin consents to it, you'll need to use the app (client credentials) flow and use application scopes. This means that you'll need to separate out consent from the regular auth flow.
For consent you'll need to to point the admin to the following url:
GET https://login.microsoftonline.com/common/oauth2/authorize?resource=https://graph.microsoft.com/&client_id=<YourClientId>&client_secret=<YourClientSecret>&response_type=code&redirectUri=<YourRedirectUri>&prompt=admin_consent
For auth flow you'll need a single call from your web server:
POST https://login.microsoftonline.com/common/oauth2/token
body resource=https://graph.microsoft.com/&client_id=<YourClientId>&client_secret=<YourClientSecret>&response_type=code
Or better yet, just use ADAL's AquireToken(resource, clientCredentials) overload.
Once that's done, your app should be good to go to make requests to Graph.
Regardless if you want to stick to A) or switch over to B), to double check that things are set up correctly you can:
Check the token that you get back from Graph (the one you attach to the request along with Bearer) and confirm that it has a roles entry with the roles you need i.e. Calendars.Read
NOTE: The following steps 2.a & 2.b require you to have admin to a test tenant where you'd be consenting to the application.
2.a Use GraphExplorer (https://graphexplorer2.azurewebsites.net/) and confirm that consent has been properly set up by querying
beta/servicePrincipals?$filter=displayName eq '[YourApplicationName]'
If nothing shows up, then the no one has consented to the application.
2.b (only applicable for auth code flow with delegated scopes) Use GraphExplorer and confirm that either delegation has been authorized correctly by querying
beta/oauth2permissiongrants?$filter=clientId eq '[IdFrom ServicePrincipal in 2.a]'
And ensuring you get either a result for the specific user in question or for "AllPrincipals".
More info on app vs delegated scopes here: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
More info on app flow here: https://graph.microsoft.io/en-us/docs/authorization/app_only
Please use the app-only auth flow (see https://graph.microsoft.io/en-us/docs/authorization/app_only) to use the application permissions - for the token request (step 4) you need to pass grant_type=client_credentials instead of grant_type=authorization_code.

Resources