Querying the Windows Azure Active Directory Graph Api by Rest Call

c# .net azure azure-active-directory

12,673

I kept running into this problem. I was using the following code to get a bearer token for my native app:

        var authContext = new AuthenticationContext("AUTHORITY");
        string token;
        try
        {
            var authresult = authContext.AcquireToken("MYAPP_ID","MYAPP_CLIENTID","MYAPP_REDIRECTURI");
            token = authresult.AccessToken;
        }

Using that token worked fine for authorizing actions within my own app, but I'd get the same error as the OP when trying to use the same token as authorization for the Graph API.

What I had to do was get a new token specifically for the Graph API - I used the same code as above but I used "https://graph.windows.net" instead of "MYAPP_ID". So, to be clear, the following code gave me the correct OAuth token for the Graph API:

        var authContext = new AuthenticationContext("AUTHORITY");
        string token;
        try
        {
            var authresult = authContext.AcquireToken("https://graph.windows.net","MYAPP_CLIENTID","MYAPP_REDIRECTURI");
            token = authresult.AccessToken;
        }

Just make sure that your application registered in Azure has the necessary permissions to access your Azure domain's directory.

12,673

Author by

Poul K. Sørensen

https://www.linkedin.com/in/pksorensen/ I can provide you with Azure, D365 and Sharepoint consultants. I work myself with Azure :)

Updated on July 24, 2022

Comments

Poul K. Sørensen almost 2 years

According to this: http://msdn.microsoft.com/en-us/library/windowsazure/dn424880.aspx and this http://msdn.microsoft.com/en-us/library/windowsazure/hh974467.aspx

I should be able to do a get request

https://graph.windows.net/<my-object-guid>/tenantDetails?api-version=0.9

and I am using Fiddler just get started. Setting this in the composer: User-Agent: Fiddler Host: graph.windows.net Authorization: Bearer eyJ0eXA .... (My Token, used some c# from WAAL to get the token).

This is what is returned

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Server: Microsoft-IIS/8.0
WWW-Authenticate: Bearer realm="<my-object-guid>", error="invalid_token", error_description="Access Token missing or malformed.", authorization_uri="https://login.windows.net/<my-object-guid>/oauth2/authorize", client_id="00000002-0000-0000-c000-000000000000"
ocp-aad-diagnostics-server-name: 11iIdMb+aPxfKyeakCML7Tenz8Kyy+G8VG19OZB/CJU=
request-id: 99d802a3-0e55-4018-b94d-a8c00ec8f171
client-request-id: 7ed93efd-86c5-4900-ac1f-747a51fe1d8a
x-ms-dirapi-data-contract-version: 0.9
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
Date: Tue, 14 Jan 2014 00:13:27 GMT
Content-Length: 129

{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}}

The token is accepted when I do some stuff in my application so I dont belive its malformed.

Randa Sbeity over 9 years

I was struggling with the same problem using Fiddler. I tried your solution and it worked! I was capturing my app traffic using Fiddler. I edited the 'resource' value in the POST token request to "graph.windows.net" The access code that I got authorized me to execute requests from fiddler to graph.windows.net/x/groups?api-version=1.5. Thank you so much!!
Dabbas almost 9 years

Why do I need to get another access_token to only get a user details, I already have an access token for this user..
Mr. Bungle over 8 years

Also note that if you have just given permission for your AD application to read and access your directory, you may need to wait several hours before that becomes effective. In the meantime you may receive 'insufficient privileges to complete the operation'.
Igor Soloydenko about 8 years

@Mr.Bungle Wait several hours? Wow. Why? Is it because of the caching?