2

I want to query application roles and group claims from Azure Active Directory in my Angular 5 Web App. I want to give admins special permissions / access to pages. I have a registered a B2C App in Azure and a Microsoft App at https://apps.dev.microsoft.com and have tried querying data via Microsoft Graph with the MSAL.js.

I used the Application ID from my B2C Web App as the clientID, acquired a token, and called to the endpoint "https://graph.microsoft.com/v1.0/users". The data returns as an array with one user with my information. When I query the groups I get an empty array. My app right now has multiple test users, and a few groups.

It seems I am pulling data unrelated to my app in Azure. Am I querying the right source of data? Do I need to set other permissions or scopes?

I found a post that has useful info about group claims. I've tried applying it to my Angular App, but the .NET libraries seem more fleshed out than Angular's.

More information: It wasn't helpful, but I played around with registering an Active Directory App, created two apis (Microsoft Graph and Windows Azure Active Directory) and set required permissions for both. I tried to use that app's Application ID in MSAL.js with the Azure Graph Api endpoint "https://graph.windows.net" which was unsuccessful. I have played around with using the Graph Explorer but the most I was able to query was that one user.

Aaron Chen
  • 9,835
  • 1
  • 16
  • 28
afriedman111
  • 1,925
  • 4
  • 25
  • 42
  • I'm afraid of that you cannot use Microsoft graph to achieve that for now. You'd better use [Azure AD Graph API](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api-quickstart). – Wayne Yang Jan 08 '18 at 07:40
  • So I switched my endpoint to use the Azure AD Graph: https://graph.windows.net/myorganization/users?api-version=1.6. I retrieve a token first with MSAL.js (I have verified that a value is populating) and then try to fetch the resource, I get an error with "code": "Authentication_MissingOrMalformed". I have tried a bunch of permutations. Any recommendations? – afriedman111 Jan 09 '18 at 15:37
  • See [this answer](https://stackoverflow.com/a/48216117/185123) from Chris Padgett – spottedmahn Jan 13 '18 at 03:43
  • Actually I wrote a [more in-depth answer](https://stackoverflow.com/a/48930585/6569899) that can hopefully help others. – afriedman111 Feb 22 '18 at 15:06

1 Answers1

1

I re-read this article about the Azure AD Graph API noticed that in order to query the Graphs, you need to use a user id that is local to your tenant’s domain and is an admin. When I created and used my tenant’s admin (from that domain), all of the queries worked. Also I needed the Directory.Read scope. I wrote in more detail about this and a few other road blocks I came upon here.

afriedman111
  • 1,925
  • 4
  • 25
  • 42