0

I am trying to use the Graph API, I am authenticating against a SharePoint site as the resource URL. This is because I am using C# CSOM api to talk with the sharepoint site.

When I try and make a graph api request with the same bearer token it says unauthorised. I have given the mobile app the permissions for Graph API too. Does this mean that my resource uri needs to be different, if so what should it be as its not clear? I am unsure how to find it.

I basically want to give the registered app in azure permission to sharepoint and graph api. When I get the token, I want to be able to use this for both types of requests

var client = new HttpClient();

client.DefaultRequestHeaders.Add("Accept", "application/json");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "TOKEN_FROM_AUTHENTCIATION");

var result = client.GetAsync("https://graph.microsoft.com/v1.0/me/messages?$select=subject,from,receivedDateTime&$top=25&$orderby=receivedDateTime%20DESC").Result;

My connection details are similar to the following:

<add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" />
<add key="ida:Tenant" value="mytenant.onmicrosoft.com" />
<add key="ida:ApplicationId" value="A GUID" />
<add key="ida:RedirectUri" value="http://AnyUri/" />
<add key="ida.ResourceUrl" value="https://mytenant.sharepoint.com/" />

I am thinking that my ResourceUrl need to be a graph api one but unable understand what it should be, Do I have to create an instance of the graph api for my domain?

I am making this request with the token using fiddler as follows, but this comes back as unauthorised 401

GET https://graph.windows.net/22312560-20c8-0000-0000-0000000000/users/[email protected]/$links/manager?api-version=1.6

Content-Type: text/json
Accept: application/json
Host: graph.windows.net
Content-Length: 0
Authorization: Bearer <THE_TOKEN>
Improve this question

1 Answer 1

Reset to default
1

Here are the steps you need to follow to make sure your app works as expected:

  1. Make sure your app registration has permissions to the Microsoft Graph with the scopes needed to make your API call.

  2. Set your resource to "https://graph.microsoft.com/"

  3. Get a new access token for this resource.
  4. Call the Microsoft Graph API with this new token. You can check that everything looks good by using a JWT decoder like this one.
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hi Shawn, I have set the ResourceId to graph.microsoft.com but the token I still get says not authenticated when I try and make a fiddler request, Ill update my question with the fiddler example, what is a simple graph request that I could try?
Note that the Azure Active Directory Graph API https://graph.windows.net/ is different than the Microsoft Graph API https://graph.microsoft.com/. If you get a token to a specific resource, that token is only valid when calling that resource. The error here seems like you are calling the AAD Graph API with a token for MS Graph API. Instead try making this call: https://graph.microsoft.com/v1.0/me/
Perfect, thank you that's great, such a simple thing now you have shown me, much appreciated
Would you know if it is possible to authenticate again a sharepoint site and then use that same token to get the graph api details. At the moment I am getting the sharepoint token pointing to this resource srmukdev.sharepoint.com, but we dont want to login twice as we are using the MFA authentication?
Question raised here stackoverflow.com/questions/45544892/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.