0

Im trying to use the microsoft graph api to determine if a logged in user is a member of the admin group. My app is etup and configured in Azure and uses active directory to control access which works perfectly well.

When a user logs in I can the claimsidentiy object and the users info. But I wanted to use the graph api to obtain a list of groups the logged in user belongs to and subsequently check for the admin group (admin key is held in my config file)

In Azure, my minifest file has this setting "oauth2AllowImplicitFlow": true.

and the app has microsoft graph enabled, with these permisions

sign in users & view users basic profiles

Im then creating an instance of the GraphServiceClient like this

GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());

and then interrogating the groups like this

Group group = await graphClient.Groups[admin].Request().GetAsync();

Ive created an authetication provider with one method

public class AzureAuthenticationProvider : IAuthenticationProvider
{
    public async Task AuthenticateRequestAsync(HttpRequestMessage request)
    {

        string clientId = Helpers.Settings.ClientId;
        string clientSecret = Helpers.Settings.ClientSecret;
        AuthenticationContext authContext = new AuthenticationContext(Helpers.Settings.AuthorityCHP);
        ClientCredential creds = new ClientCredential(clientId, clientSecret);
        AuthenticationResult authResult = await authContext.AcquireTokenAsync(Helpers.Settings.GraphUrl, creds);
        request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);

    }
}

the credentials are correct, yet whenever I run the code i get this error

Code: InvalidAuthenticationToken Message: Access token validation failure.

Inner error Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Microsoft.Graph.ServiceException: Code: InvalidAuthenticationToken Message: Access token validation failure.

I am getting a token back, but it isnt being accepted, what am I doing wrong here ?

ok, ive now used the correct url for the graph api, but im geting this error

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

in my app settings for azure active directory I have 2 api's registered with delegated permissions

Windows Azure Active Directory -Read all users basic profiles -sign in and read user profiles

Microsoft Graph - View users basic profile - View users email address - access users data anytime - read all users basic profiles - read and write access to user profile - sign in and read user profile

Ive hit the 'Grant Permissions' button and got a message telling me permissions have been succesfully granted for my application, but I still get the same error message :-(

Should I be passing in the signed in user id when I create an instance of the authentoicationcontext ?

something like

AuthenticationContext authContext = new AuthenticationContext(Authority, new ADALTokenCache(signedInUserID));

** update 2

Ive now added 'Read all users full profiles' and 'read all groups' as application permissions in the microsoft graph enable access section AND granted permissions. But its still exactly the same, how on earth am I supposed to get this to work ? All I want to so is see which group a logged in user belongs to, this is so dificult, its beyond belief. Can anyone help me ?

*** magically it started to work in both my local dev environment and the app deployed to Azure. However, I also have 2 other app 'instances' in my app service environment, a QA version and a 'Dev' version, If I deploy the same code to both of those environments and try to access the graph API, I get this error again

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

im stumped, its nonsenseical, shouldnt the privaledges be exactly the same for all my apps in that app service environment ? Id really appreciate any advice here this has got me completely stuck I cant see a way forward

Improve this question
7
  • What is the value of Helpers.Settings.GraphUrl? It should be https://graph.microsoft.com. Commented Sep 13, 2017 at 10:17
  • graph.windows.net Commented Sep 13, 2017 at 10:37
  • "graph.windows.net" Commented Sep 13, 2017 at 10:37
  • sorry, the url part is being stripped out automatically when I post Commented Sep 13, 2017 at 10:38
  • its https colon forward slash forward slash graph.windows.net Commented Sep 13, 2017 at 10:39

1 Answer 1

Reset to default
3

If you are calling Microsoft Graph API (https://graph.microsoft.com), the resource URI must be https://graph.microsoft.com:

await authContext.AcquireTokenAsync("https://graph.microsoft.com", creds);

https://graph.windows.net is for Azure AD Graph API, which is a different API.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

getting a new problem now though, Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
Check that you also granted the permissions in Azure AD. Adding the permission is not enough, it needs to be granted. There is a Grant Permissions button in the permissions page which does that.
in the app settings -> requiredpermissions ->enable acess I have read all users basic profiles checked and ive saved it
this is inside azure active directory app registrations
ok, found the button and got a message telling me the permissions have ben successfully granted, didnt work
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.