Menu
I am trying to log in as my registered app, with the permissions granted on: Azure Portal > App registrations > App registrations (Preview) > My App Name - API permissions
According to this documentation, I have to pass my resource identifier (APP ID URI) in the scope parameter when requesting a token. I am certain that this scope parameter is the one causing me problems.
I have tried different parameters of the scope.
https://graph.microsoft.com/.default: This works for basic functions, like reading the calendar but I believe that the default permissions are very little for my needs. Since this works, I believe my other parameters are correct, and the scope is the problem.
[APP-ID]/.default: This gives me a successful response, however, whenever I try to make any request, including the basic read calendar request, I get InvalidAuthenticationToken. I can assure you that I am passing the correct token retrieved from the token request.
Multiple different URL combinations based on online suggestions. All of them return
"The resource principal {resource-url} was not found in tenant {id}.
I strongly believe the problem is that I am not passing the correct APP ID URI for my application. Can anyone tell me where I can find this resource? Everything I have searched online is 2+ years old and does not seem to be the same for the new Azure portal.
933
Open Run, enter shell:Appsfolder, and select OK. A File Explorer window opens. Press Alt > View > Choose details. In the Choose Details window, select AppUserModelId, and then select OK.
- Redirect URI: Enter your web app URL (the address of a web page where users can sign in and use your app). The APP ID URI is your Azure Tenant URI followed by your app name (unique identifier for Azure AD to identify your app).
Search for and select Azure Active Directory. Under Manage, select App registrations > New registration. Enter a display Name for your application.
For Client Credentials (i.e. getting a token without a user), you need to pass https://graph.microsoft.com/.default as your scope.
The permissions https://graph.microsoft.com/.default provides are the "Application permissions" you specified when registering the application in the portal:
Once you've added all the "Application permissions" you need for your application, you need to "Grant consent" for those scopes in your tenant (this is the button at the bottom of the API permissions tab.
Once you have these in place, you need issue a POST to the /token endpoint (line-breaks are just for readability, this should be a single string):
POST https://login.microsoftonline.com/{{tenantDomain}}/oauth2/token
Content-Type: application/x-www-form-urlencoded
client_id={your-app-id}
&scope=https://graph.microsoft.com/.default
&client_secret={your-client-secret}
&grant_type=client_credentials
This will return you something like this:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1554431330",
"not_before": "1554427430",
"resource": "00000003-0000-0000-c000-000000000000",
"access_token": "eyJ0eXAiOiJKV1QiLCJub25jZS..."
}
When you call into Graph you need to set the Authorization header to token_type access_token. So calling /users would look like this:
GET https://graph.microsoft.com/v1.0/users
Authorization:"Bearer eyJ0eXAiOiJKV1QiLCJub25jZS..."
Host:"graph.microsoft.com"
Accept:"application/json"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
