Getting error "Unable to check Directory Read access for appId" when trying to access Graph REST API programmatically from a .net application

Question

I am trying to automate fetching of AD reports using the Graph REST API from a .net application in C#.

I have created a Service Principal (using App Registrations) in the new Azure Portal. This service principal has all the required information configured for OAuth 2.0:

1. App ID or Client Id (auto generated)
2. Key or Client Secret
3. Tenant ID (from the Azure Directory's Directory ID)

The service principal also has permissions set appropriately for "Microsoft Graph" as "Read Directory Data".

I am able to fetch the Token using the REST API from .net application but when I am trying to use this token in my code I am getting the error: "Unable to check Directory Read access for appId".

My code to make the REST API call using the token is (I have changed the GUIDs for Tenant ID etc.):

        var client2 = new RestClient("https://graph.windows.net/a0a00aa0-aaaa-0000-0000-00000e0000aa/reports?api-version=beta");
        var request2 = new RestRequest(Method.GET);
        request2.AddHeader("cache-control", "no-cache");
        request2.AddHeader("authorization", "Bearer " + token);
        request2.AddHeader("content-type", "application/json");
        IRestResponse response2 = client2.Execute(request2);
        Console.WriteLine(response2.Content);

The error I am getting is:

{
  "error":{
    "code":"Unable to check Directory Read access for appId: 00000aa-aaaa-0a0a-0000-000000000000","message":"message:Unable to check Directory Read access for appId: 00000aa-aaaa-0a0a-0000-000000000000\n client-request-id:00aa0a0a-48bf-4bf8-ae40-a2976a3c6910 timestamp:2017-04-28 01:38:52Z"
  }
}

I have checked that the credentials are not cached anywhere as indicated by some blogs. I have even run the code from a blank VM and got the same error. Any pointers to resolve this error or what could be causing this.

UPDATE - 4-28-2017

I got this resolved. I know the exact steps that resolve this for me. But I don't know the underlying concept. If anyone can explain to me that and how to do this via PowerShell or GUI (even in 2 lines) I will accept that as an answer. The steps I take are:

1. Create the Service Principal/App inside App Registrations
2. Add Permission for Windows Azure AD for "Sing in and read user profile" and "Read directory data". I also added permissions for Microsoft Graph for "Read directory data" since I also need to make some calls to that.
3. Add Reply URL for Postman i.e. "https://www.getpostman.com/oauth2/callback".
4. Use Postman's OAuth 2.0 helper to fetch the token. During the process, it provides the below screen. After I click Accept it generates the token.
5. Now I am able to make requests using C# code.

What I have tried: I have tried using "Grant Permissions" on the "Required Permissions" blade inside App Registrations, but that did not work and resulted in the same error.

QUESTION: I want to understand what exactly the below dialog is doing and how can I do this via GUI or PowerShell.

Answer 1

I test the api call and it works . In your description:

The service principal also has permissions set appropriately for "Microsoft Graph" as "Read Directory Data".

You set the permissions for "Microsoft Graph"(Micorosft Graph API) , but in your code you query the Azure AD Graph API(https://graph.windows.net/) endpoint for report information. That may cause the problem . If you want to use Azure AD Graph API , you need to set permissions for "Windows Azure Active Directory" .

Update

The consent framework is used to make it easy to develop multi-tenant Web and Native client applications that need to access Web APIs secured by an Azure AD tenant, different from the one where the client application is registered.

With multi-tenant app , when a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue .

App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message will be displayed saying the user isn’t able to consent. Certain delegated permissions also require a tenant administrator’s consent .For example , "Read directory data" permission .What this means is that in order for a regular user (ie a user that is not a global administrator for the tenant) to sign in, a global administrator must first sign in and consent to permission on behalf of the organisation.You need to use a admin account to consent related permission as the picture you shown . Please click here and here to read more about user and admin consent .