7

I'm trying to build a simple Ruby application that can connect to the Microsoft Graph API and get basic information about the user, for example the manager or direct reports.

I've followed a 0365-tutorial and i've got a working app that is able to get a user's mail. However when I try to then use the session tokens to query the graph api, i get an error:

response.body
=> "{\r\n  \"error\": {\r\n    \"code\": \"InvalidAuthenticationToken\",\r\n    \"message\": \"Access token validation failure.\",\r\n    \"innerError\": {\r\n      \"request-id\": \"18cbc6be-5254-400c-9780-7427376587fb\",\r\n      \"date\": \"2016-06-30T22:21:55\"\r\n    }\r\n  }\r\n}"

I'm using scopes 

SCOPES = [ 'openid', 'profile', 'https://outlook.office.com/contacts.read', 'offline_access' ]

I've just been suggested to include the scope 'https://graph.microsoft.com/user.read', but when i add this to the application i get the following error before even hitting the user login page:

AADSTS70011: The provided value for the input parameter 'scope' is not valid. The scope openid profile offline_access https://graph.microsoft.com/user.read is not valid.

Any help on this would be appreciated!

Lievcin
  • 938
  • 3
  • 18
  • 30
  • Could you post the full URL that you're using to access the login page? – Jason Johnston Jul 01 '16 at 16:50
  • https://login.microsoftonline.com – Lievcin Jul 01 '16 at 16:51
  • I mean with all of the parameters :). You can copy it from the browser when you land on the error. – Jason Johnston Jul 01 '16 at 16:53
  • https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=c9c7bdc1-9cea-4ea4-8082-f885b046fd60&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauthorize&response_type=code&scope=openid+profile+https%3A%2F%2Foutlook.office.com%2Fcontacts.read+offline_access+https%3A%2F%2Fgraph.microsoft.com%2Fuser.read – Lievcin Jul 01 '16 at 16:58

1 Answers1

11

Ok. The problem is that you are including scopes for both Outlook (the https://outlook.office.com/contacts.read scope) and Graph (the https://graph.microsoft.com/user.read scope). Unfortunately Azure's authorization endpoint doesn't support mixing scopes like that. You can either remove the Outlook scope (assuming you don't need it), or change it to the Graph equivalent: https://graph.microsoft.com/contacts.read (if you need to access the logged on user's personal contacts).

Jason Johnston
  • 17,194
  • 2
  • 20
  • 34
  • Thanks a lot Jason. I can now do at least /me :) – Lievcin Jul 01 '16 at 17:28
  • When i try to get the direct reports i get an error saying: code: Authorization_RequestDenied, message: Insufficient privileges to complete the operation." Do you know if there's a resource with the scopes and whether some of them are only accessible to admins? – Lievcin Jul 01 '16 at 17:30
  • It looks like the Graph docs have a mistake. The link for direct reports says User.Read will work, but http://graph.microsoft.io/en-us/docs/authorization/permission_scopes says with User.Read you cannot read "navigation properties like manager and direct reports." Let me ask the Graph folks what's going on. – Jason Johnston Jul 01 '16 at 17:37
  • I've found this page: https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#PermissionScopeConcepts which says that in order to get information about managers and direct reports an administrator has to consent to it... so end up in a screen with this error: AADSTS90093: Calling principal cannot consent due to lack of permissions. Wondering how is it that one gets consent for an app in dev :) also, not even sure who my admin even is to consent to this... we're in a 100K employees company! – Lievcin Jul 01 '16 at 19:33
  • I reproduce this, I'm checking with the Graph folks for confirmation that this is intended. – Jason Johnston Jul 01 '16 at 20:27
  • I also see that User.Read should be enough here: https://github.com/OfficeDev/microsoft-graph-docs/blob/master/api-reference/v1.0/api/user_list_directreports.md – Lievcin Jul 01 '16 at 21:58
  • I got confirmation from the Graph folks that it **does** require admin consent, by design. Let them know your thoughts on this here: https://officespdev.uservoice.com/ :) – Jason Johnston Jul 05 '16 at 14:45
  • Having similar problem with EWS at https://stackoverflow.com/questions/41366134/utilizing-oauth2-for-office365-through-exchange-activesync-eas . Can you help? – grebulon Jun 29 '17 at 11:59