1

Requirement is to access details from Microsoft Bookings using Graph API Beta. Followed the steps here to get access without a user, but during the step of allocating permissions, permission for 'Booking' and 'Booking Appointment' are present only in Delegated permissions (Your application needs to access API using signed-in user) and not in Application Permissions(Your application runs as a background service or daemon without a signed-in user).

Without this permission, I am unable to access booking APIs using grant_type as client_credentials. The problem in using a signed-in user is that MFA is enabled for the user and hence, unable to access the APIs using grant_type as password.

Can anyone please help with a solution to this issue? Thanks in advance.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
Sneha Dominic
  • 368
  • 2
  • 14
  • Microsoft Bookings does not support application permissions and can only use delegated permissions, so users must be logged in. Have you tried using auth code flow? https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow – Carl Zhao Dec 21 '20 at 06:21
  • Thanks for the information @CarlZhao. No, I haven't tried it. So, if MFA is required for the user, can we access token using auth code flow? At present, I was retrieving access token using HttpClient and using it to build GraphServiceClient object. After MFA is enabled for the user, API calls were failing with error description as "error_description": "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '' – Sneha Dominic Dec 21 '20 at 06:53
  • Yes, the auth code flow allows users with multi-factor authentication to log in to the application. – Carl Zhao Dec 21 '20 at 06:58

1 Answers1

1

Microsoft Bookings does not support application permissions and can only use delegated permissions, so users must be logged in.

If you enable MFA for users, you cannot use ROPC flow. For your problem, I recommend you to use auth code flow, which allows users with multi-factor authentication to log in to the application.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thanks a lot for your help. I am new with working on Graph APIs and it would have been really helpful if you can provide any reference to code examples using C# for this authorization code flow. – Sneha Dominic Dec 21 '20 at 07:05
  • @SnehaDominic Does this help you? https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/aspnetcore2-2-signInAndCallGraph – Carl Zhao Dec 21 '20 at 07:32
  • Have a doubt regarding the given code sample. There is a user sign-in experience needed after running the application. We are asked to sign-in with personal/work account. [https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/aspnetcore2-2-signInAndCallGraph#step-3-run-the-sample] In my requirement, these APIs are exposed to be used by another app. So, in these case, how can we facilitate a user sign-in experience? Is that possible? – Sneha Dominic Dec 21 '20 at 09:10
  • @SnehaDominic What is the user login experience? Can you explain? – Carl Zhao Dec 21 '20 at 09:38
  • By user login experience, what I meant is that, when we run the application, the first step is mentioned as to login to Microsoft account. So the sign-in window is displayed in browser, where we need to give the username, password and MFA if needed and login. After that code is generated and is then used in fetching access token. In my case, the APIs that are using Graph API calls are exposed and it is used by another mobile app. So, how can we facilitate this user interaction for login to Microsoft account when API calls are made? – Sneha Dominic Dec 21 '20 at 09:53