How to connect Azure ad on behalf of user with appid?

Question

I need to create schema extension.

Following: Create schemaExtension - Microsoft Graph v1.0 | Microsoft Docs

Code is :

  var authenticationContext = new AuthenticationContext(authString, false);     
  ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
  AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resourceId, clientCred);
  string token = authenticationResult.AccessToken;     
  var responseString = String.Empty;   

  using (var client = new HttpClient())
  {

    string requestUrl = "https://graph.microsoft.com/beta/schemaExtensions";        
    string postJson = "{\"id\":\"graphlearn_courses\",\"description\": \"Graph Learn training courses extensions\", \"targetTypes\":[\"Group\"], \"properties\": [{ \"name\": \"courseId\",\"type\": \"Integer\"},  {\"name\": \"courseName\",\"type\": \"String\"},  {\"name\": \"courseType\", \"type\": \"String\"}]}";

    HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, requestUrl);
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
    request.Content = new StringContent(postJson, Encoding.UTF8, "application/json");
    Debug.WriteLine(request.ToString());

    HttpResponseMessage response = client.SendAsync(request).Result;
    responseString = response.Content.ReadAsStringAsync().Result;
  }

Token :

"roles": [
"User.ReadWrite.All",
"Group.Read.All",
"Directory.ReadWrite.All",
"User.Read.All"
],

Not getting : Directory.AccessAsUser.All

User Credentials :

  UserPasswordCredential userCred = new UserPasswordCredential(userId, userPassword);
  var authenticationContext = new AuthenticationContext(authString, false);
  ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
  AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resourceId, clientId, userCred);      
  string token = authenticationResult.AccessToken;

Error:

AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'

Any ideas on how to connect Azure ad on behalf of user with appid?

score 0 · Answer 1 · answered Jul 15 '17 at 13:40

You are not getting the delegated permission because you are using the client credentials grant to authenticate. You are essentially authenticating as the app, so there is no user involved.

You will need to use a different way to authenticate. Check out this sample on GitHub.

Especially the AuthenticationHelper class where it does authentication with:

AuthenticationContext authenticationContext = new AuthenticationContext(UserModeConstants.AuthString, false);
AuthenticationResult userAuthnResult = await authenticationContext.AcquireTokenAsync(GlobalConstants.ResourceUrl,
      UserModeConstants.ClientId, redirectUri, new PlatformParameters(PromptBehavior.RefreshSession));
TokenForUser = userAuthnResult.AccessToken;
Console.WriteLine("\n Welcome " + userAuthnResult.UserInfo.GivenName + " " +
                              userAuthnResult.UserInfo.FamilyName);

Tried, getting following error The request body must contain the following parameter: 'client_secret or client_assertion' — Furqan Misarwala, Jul 17 '17 at 06:53

score 0 · Accepted Answer · edited Jan 10 '20 at 05:22

0

Found the solution here.

You should change the "Application Type" to "NATIVE CLIENT APPLICATION" while creating the application in the Azure portal

edited Jan 10 '20 at 05:22

TAbdiukov

1,185
3
12
25

answered Jul 18 '17 at 09:12

Furqan Misarwala

1,743
6
26
53

How to connect Azure ad on behalf of user with appid?

2 Answers2