I am trying to automate fetching of AD reports using the Graph REST API from a .net application in C#.
I have created a Service Principal (using App Registrations) in the new Azure Portal. This service principal has all the required information configured for OAuth 2.0:
The service principal also has permissions set appropriately for "Microsoft Graph" as "Read Directory Data".
I am able to fetch the Token using the REST API from .net application but when I am trying to use this token in my code I am getting the error: "Unable to check Directory Read access for appId".
My code to make the REST API call using the token is (I have changed the GUIDs for Tenant ID etc.):
var client2 = new RestClient("https://graph.windows.net/a0a00aa0-aaaa-0000-0000-00000e0000aa/reports?api-version=beta");
var request2 = new RestRequest(Method.GET);
request2.AddHeader("cache-control", "no-cache");
request2.AddHeader("authorization", "Bearer " + token);
request2.AddHeader("content-type", "application/json");
IRestResponse response2 = client2.Execute(request2);
Console.WriteLine(response2.Content);
The error I am getting is:
{
"error":{
"code":"Unable to check Directory Read access for appId: 00000aa-aaaa-0a0a-0000-000000000000","message":"message:Unable to check Directory Read access for appId: 00000aa-aaaa-0a0a-0000-000000000000\n client-request-id:00aa0a0a-48bf-4bf8-ae40-a2976a3c6910 timestamp:2017-04-28 01:38:52Z"
}
}
I have checked that the credentials are not cached anywhere as indicated by some blogs. I have even run the code from a blank VM and got the same error. Any pointers to resolve this error or what could be causing this.
I got this resolved. I know the exact steps that resolve this for me. But I don't know the underlying concept. If anyone can explain to me that and how to do this via PowerShell or GUI (even in 2 lines) I will accept that as an answer. The steps I take are:
What I have tried: I have tried using "Grant Permissions" on the "Required Permissions" blade inside App Registrations, but that did not work and resulted in the same error.
QUESTION: I want to understand what exactly the below dialog is doing and how can I do this via GUI or PowerShell.
I test the api call and it works . In your description:
The service principal also has permissions set appropriately for "Microsoft Graph" as "Read Directory Data".
You set the permissions for "Microsoft Graph"(Micorosft Graph API) , but in your code you query the Azure AD Graph API(https://graph.windows.net/) endpoint for report information. That may cause the problem . If you want to use Azure AD Graph API , you need to set permissions for "Windows Azure Active Directory" .
Update
The consent framework is used to make it easy to develop multi-tenant Web and Native client applications that need to access Web APIs secured by an Azure AD tenant, different from the one where the client application is registered.
With multi-tenant app , when a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue .
App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a user tries to sign in to the application, an error message will be displayed saying the user isn’t able to consent. Certain delegated permissions also require a tenant administrator’s consent .For example , "Read directory data" permission .What this means is that in order for a regular user (ie a user that is not a global administrator for the tenant) to sign in, a global administrator must first sign in and consent to permission on behalf of the organisation.You need to use a admin account to consent related permission as the picture you shown . Please click here and here to read more about user and admin consent .
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With