Querying the Windows Azure Active Directory Graph Api by Rest Call
I kept running into this problem. I was using the following code to get a bearer token for my native app:
var authContext = new AuthenticationContext("AUTHORITY");
string token;
try
{
var authresult = authContext.AcquireToken("MYAPP_ID","MYAPP_CLIENTID","MYAPP_REDIRECTURI");
token = authresult.AccessToken;
}
Using that token worked fine for authorizing actions within my own app, but I'd get the same error as the OP when trying to use the same token as authorization for the Graph API.
What I had to do was get a new token specifically for the Graph API - I used the same code as above but I used "https://graph.windows.net"
instead of "MYAPP_ID"
. So, to be clear, the following code gave me the correct OAuth token for the Graph API:
var authContext = new AuthenticationContext("AUTHORITY");
string token;
try
{
var authresult = authContext.AcquireToken("https://graph.windows.net","MYAPP_CLIENTID","MYAPP_REDIRECTURI");
token = authresult.AccessToken;
}
Just make sure that your application registered in Azure has the necessary permissions to access your Azure domain's directory.
Poul K. Sørensen
https://www.linkedin.com/in/pksorensen/ I can provide you with Azure, D365 and Sharepoint consultants. I work myself with Azure :)
Updated on July 24, 2022Comments
-
Poul K. Sørensen almost 2 years
According to this: http://msdn.microsoft.com/en-us/library/windowsazure/dn424880.aspx and this http://msdn.microsoft.com/en-us/library/windowsazure/hh974467.aspx
I should be able to do a get request
https://graph.windows.net/<my-object-guid>/tenantDetails?api-version=0.9
and I am using Fiddler just get started. Setting this in the composer: User-Agent: Fiddler Host: graph.windows.net Authorization: Bearer eyJ0eXA .... (My Token, used some c# from WAAL to get the token).
This is what is returned
HTTP/1.1 401 Unauthorized Cache-Control: private Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8 Server: Microsoft-IIS/8.0 WWW-Authenticate: Bearer realm="<my-object-guid>", error="invalid_token", error_description="Access Token missing or malformed.", authorization_uri="https://login.windows.net/<my-object-guid>/oauth2/authorize", client_id="00000002-0000-0000-c000-000000000000" ocp-aad-diagnostics-server-name: 11iIdMb+aPxfKyeakCML7Tenz8Kyy+G8VG19OZB/CJU= request-id: 99d802a3-0e55-4018-b94d-a8c00ec8f171 client-request-id: 7ed93efd-86c5-4900-ac1f-747a51fe1d8a x-ms-dirapi-data-contract-version: 0.9 X-Content-Type-Options: nosniff DataServiceVersion: 3.0; X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Powered-By: ARR/3.0 X-Powered-By: ASP.NET Date: Tue, 14 Jan 2014 00:13:27 GMT Content-Length: 129 {"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}}
The token is accepted when I do some stuff in my application so I dont belive its malformed.
-
Randa Sbeity over 9 yearsI was struggling with the same problem using Fiddler. I tried your solution and it worked! I was capturing my app traffic using Fiddler. I edited the 'resource' value in the POST token request to "graph.windows.net" The access code that I got authorized me to execute requests from fiddler to graph.windows.net/x/groups?api-version=1.5. Thank you so much!!
-
Dabbas almost 9 yearsWhy do I need to get another access_token to only get a user details, I already have an access token for this user..
-
Mr. Bungle over 8 yearsAlso note that if you have just given permission for your AD application to read and access your directory, you may need to wait several hours before that becomes effective. In the meantime you may receive 'insufficient privileges to complete the operation'.
-
Igor Soloydenko about 8 years@Mr.Bungle Wait several hours? Wow. Why? Is it because of the caching?