17

I have been told to raise a question about Azure AD Graph Api here instead of raising it as an issue for the corresponding GitHub sample repository, I hope Azure Graph API team monitors SO and can help us with this github sample issue

Some extra context for the problem:

We are using Microsoft.Azure.ActiveDirectory.GraphClient nuget to create and manage users in our Azure AD test tenant. Following this sample application we can create and update users in Azure AD via Graph API. That was fine until some moment which happened about 2-3 days ago (not sure about the exact moment, we discovered the problem on Tuesday morning AU time. Last successful run was on Friday last week). It was 100% working code and to confirm that it's not our code - I ran through sample application again - it's broken now too. I've tested it with the latest GraphClient v2.1.0 and original one from sample app which is - v2.0.6

To simplify testing of the problem I've made a LINQ based sample with some secrets redacted ( you need to follow console app sample guide to put in your values if you want to run it, instead of original sample app) Also here is the Fiddle captures (redacted) of

Few things to note in the fiddler captures - Azure AD Graph API doesn't return refresh token along with access token:

{"expires_in":"3599","token_type":"Bearer","scope":"UserProfile.Read",
"expires_on":"1441183928","not_before":"1441180028","resource":"https://graph.windows.net",
"access_token":"TOKEN WAS HERE"}

I can see the issue with the scope string here, but we are not setting any explict scope in GraphClient when calling for token as per Sample app ( and this code was fine before, as I mentioned early)

User creation response is clear in terms of what happens and why it happens

{"odata.error":
    {"code":"Authorization_RequestDenied","message":
        {"lang":"en","value":"Insufficient privileges to complete the operation."}
    }
}

But it's not clear how to ask for extra permission scopes through any of these AuthenticationContext.AcquireToken Method overloads Also it's strange that the very same code was fully functional before and is broken now, after some mysterious change?

So I have few questions:

  1. How to add extra scope permissions in GraphClient library to get Graph API token with User Modification enabled. This is probably a band aid fix of the problem.

  2. It looks like Azure AD tries to manage permissions for client apps in the portal. But there is no extra permissions for Native Client type of application. How can I explicitly update app permissions so the existing code can work again. Is it possible at all ?

  3. Can anyone recommend other libraries to interact with GraphAPI, which allow the consumer to explicitly specify scope for the requested token ?

================Update================

Yes, I saw that consent flow documentation. Chasing the issue I've created new Azure AD tenant, added brand new application and added all possible rights, including all available application and delegation ones: now it looks like this. I also

I can get a token with long list of scopes, e.g.

Directory.AccessAsUser.All Directory.Read Directory.Write User.Read User.ReadWrite User.Read.All User.ReadBasic.All User.ReadWrite.All user_impersonation UserProfile.Read

--cut unrelated scopes--

But it still gives me 403 :

{"odata.error":
    {"code":"Authorization_RequestDenied","message":        
        {"lang":"en","value":"Insufficient privileges to complete the operation."}
    }
}

One thing worth to note - in the scope list there is no Directory.ReadWrite.All

But here docs says : Directory.ReadWrite.All : Read and write directory data

================Update================

PS: Some technical request info for Azure AD engineers:

  • Authentication request-response has client-request-id: 88b2bbbd-94cd-498d-a147-caad05e16eb7.
  • Failed Graph call has client-request-id: 882f3918-0ddd-40fe-a558-866997e32b46 in response only
Enamul Hassan
  • 5,266
  • 23
  • 39
  • 56
Alexey Shcherbak
  • 3,394
  • 2
  • 27
  • 44
  • Some extra info - tried to post scope like scope=xxx as per oauth2 specification (4.4.2. Access Token Request). Using scope values from this list https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/graph-api-permission-scopes &scope=Directory.ReadWrite.All getting back token with same "UserProfile.Read" scope. – Alexey Shcherbak Sep 02 '15 at 12:41
  • managed to get token with many permissions ( by adding Office 365 Unified API preview app to my web client and adding all possible permissions delegation to my app). Still no luck - posting the same data as a raw fiddler request to https://graph.windows.net/58cc6e97-acd4-43ce-820f-50cfe5fd56e8/users?api-version=1.6 HTTP/1.1 still gives me 403 with "Insufficient privileges to complete the operation". ocp-aad-diagnostics-server-name: 2+dALfFSWdN9j1pbjWetFSEVFN5y/lnZw/QCyG+ljYA= request-id: 70f46089-1a05-41d3-85c6-e90e1c0f75dd client-request-id: 5dec4e74-ac5d-4944-8ca6-01644c32bf93 – Alexey Shcherbak Sep 02 '15 at 13:10

1 Answers1

2

The issue here is that you have not properly configured your application to request the correct permissions to the Graph API. To do this, you must go into the Azure Management Portal and configure your 'permissions to other applications' to include the scopes your app needs to be able to read/write to the directory.

We have some documentation here which should help you: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx (Describes the consent flow) https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/graph-api-permission-scopes (describes the specific permissions that the graph API exposes that your application will need to request)

I hope this helps!

Shawn Tabrizi
  • 12,206
  • 1
  • 38
  • 69
  • Not much. see updated details - I've done more steps and got token with maximum available permissions - still the same. – Alexey Shcherbak Sep 09 '15 at 13:07
  • Hi Alexey. Just following up here, and sorry for not getting back sooner. For the sample, are you make a request to access as the application only, or as the application with user context? In the former case you should set the "Read and write directory" permission, in the "application permission" column. If the latter you should set the same permission in the "delegated permission" column AND the user *must* have enough privilege to create users (so tenant admin OR user account admin). If this does not work, please forward your decoded JWT token's scp claims, so we can see what these say. – Dan Kershaw - MSFT Nov 12 '15 at 17:13
  • Hi Dan, we already moved from that issue, but I'll try to get back to it and restore the environment to reproduce the issue. I think the simplest case would be to run the example - it doesn't work properly for my tenants too - for both original and freshly created. – Alexey Shcherbak Nov 13 '15 at 01:08