1

I am trying to access MS Graph using an AAD account, this account is global admin and has every right delegated. I want to do it without interactive sign-in, i.e using UserPasswordCredential. When trying to access MS Graph I get the error:

enter image description here

My flow:

Getting token:

public async Task<string> GetUserAccessTokenAsync()
        {
            UserPasswordCredential userPasswordCredential = new UserPasswordCredential("[email protected]", "password");
            AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/tenant.onmicrosoft.com");
            AuthenticationResult token = await authContext.AcquireTokenAsync("https://graph.windows.net", appId, userPasswordCredential);

            return token.AccessToken;
        }

using token:

public static GraphServiceClient GetAuthenticatedClient()
        {
            GraphServiceClient graphClient = new GraphServiceClient(
                new DelegateAuthenticationProvider(
                    async (requestMessage) =>
                    {
                        Adal adal = new Adal();
                        string accessToken = await adal.GetUserAccessTokenAsync();

                        // Append the access token to the request.
                        requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
                    }));
            return graphClient;
        }

Trying to call MS Graph to read events:

 try
        {
            // Get events.
            items = await eventsService.GetMyEvents(graphClient);
        }
        catch (ServiceException se)
        {
            //this is where I get the error
        }

Delegated Permissions: enter image description here

Any ideas where I'm going wrong?

Improve this question

3 Answers 3

Reset to default
2

Well your resource URI is wrong at least. It should be:

public async Task<string> GetUserAccessTokenAsync()
{
   UserPasswordCredential userPasswordCredential = new UserPasswordCredential("[email protected]", "password");
   AuthenticationContext authContext = new AuthenticationContext("https://login.microsoftonline.com/tenant.onmicrosoft.com");
   AuthenticationResult token = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", appId, userPasswordCredential);

   return token.AccessToken;
}

https://graph.windows.net/ is for Azure AD Graph, not MS Graph.

For MS Graph API you must use https://graph.microsoft.com/.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

lord... Sometimes I surprise even my self. Thanks for this, would never have spotted it.
I typo'd the resource URI in the code example, now it's fixed.
0

After doing more research I understand that we need to obtain Admin permissions. Found in the docs: "App-only scopes (also known as app roles) grant the app the full set of privileges offered by the scope. App-only scopes are typically used by apps that run as a service without a signed-in user being present" https://graph.microsoft.io/en-us/docs/authorization/permission_scopes I was getting a successful result with the user token since that was under delegated permissions. Hope this helps someone in the future.

Improve this answer

Comments

0

After further research it looks like we do need Admin permissions given that we are using the App-only scopes instead of delegated permissions. Basic read operations under app-only scope are designated Admin-only. Hopefully this helps someone having the same issue. https://graph.microsoft.io/en-us/docs/authorization/permission_scopes

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.