1

My website is using the GraphClient Library (http://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient) to query Azure AD. Its using its own credentials and authorization token to access graph.windows.net and this works fine.

I'm trying to change it so that when users log into my website and authenitcate using their own Microsoft tenant account, my website then queries the graph.windows.net using that users token and not its (the webserver) own.

I'm using OWIN middleware, OpenID against Microsoft for authentication and finally the GraphClient to query AzureAD.

Right now my process is in OWIN Notifications => AuthorizationCodeReceived I do a AcquireTokenByAuthorizationCode() to retrieve the users AccessToken, then I try connect to the GraphClient like so.. 

new ActiveDirectoryClient(
  new Uri(graphResourceID + '/' + tenantID),
  async () => userAccessToken
)

The GraphClient always returns a response saying 'insufficient privileges' to all the calls I checked. But if I create a simple HTTPClient request to the graph.windows.net REST API and inject the "Bearer" authoriaztion header with userAccessToken from above then the Graph API gives me a valid response.

Why is the GraphClient library returning 'insufficient privileges' when a simple HTTPClient request works fine?

Improve this question

1 Answer 1

Reset to default
1

Connecting to your Azure Active Directory, you should be able to configure the permissions for your application :

enter image description here

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.