0

I am trying to list the Outlook Task Folders using Microsoft Graph with POSTMan. Following is the URL I am using:

 https://graph.microsoft.com/beta/me/outlook/taskFolders

After adding the Bearer Token in the request header, I am getting the following response Graph:

"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood.",

I have already enabled the following permissions:Tasks.ReadWrite. What am I missing here?

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
DCZ
  • 5
  • 3
  • Can you add how you are getting the access token? – juunas Jan 13 '20 at 06:41
  • This is url i am using for getting the token: https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token And following are the parameters passing as part of the GET Request: grant_type - client_credentials, scope - https://graph.microsoft.com/.default, client_id,client_secret – DCZ Jan 13 '20 at 07:11
  • Can you clarify, did you mean `POST` instead of `GET` request (hint: it _should_ be a `POST` :) ) – Marc LaFleur Jan 14 '20 at 22:21

1 Answers1

0

I can reproduce your issue while using client credentials flow to get access token. I decode the access token and do not see the permission I assigned. As the article said:

The permission is delegated from the user to the application, usually during the consent process. However, in the client credentials flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user.

So, I suggest that you could use OAuth 2.0 authorization code flow to get the access token. And add your Tasks.Read permission in scope.

https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=https://localhost:123
&response_mode=query
&scope=https://graph.microsoft.com/Tasks.Read

For more details to get access token with auth code flow you could refer to this article.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • Can i use url "https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize? client_id=xxxxx &response_type=code &redirect_uri=https://localhost:123 &response_mode=query &scope=https://graph.microsoft.com/Tasks.Read" in Postman? Because i guess the above url takes us to login page, but i would need to access the TaskFolder graph api from application. Please let me know if my understanding is not correct. – DCZ Jan 13 '20 at 07:31
  • You can use the url in browser and login your account. And after get access token, you could go to decoded it and you will find `Tasks.Read` permission in `scp ` property. – Joey Cai Jan 13 '20 at 07:33
  • As the permission is delegated, so you need to use user to login. – Joey Cai Jan 13 '20 at 07:34
  • Because when i am hitting the above url, it is taking me to the Sign Page which may not work for me, as i wanted it inside the c# code. – DCZ Jan 13 '20 at 07:52
  • If so, I will suggest that you could use [OAuth 2.0 Resource Owner Password Credentials](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) flow. – Joey Cai Jan 13 '20 at 08:00