0

I have a web application which uses App only tokens to override the end user's permission to retrieve all Site Collections in the tenant. When attempting to use the boiler plate code provided in the example with one minor change, the Graph API is returning accessDenied when attempting to issue the call https://graph.microsoft.com/v1.0/sites?search=*. If I remove WithAppOnly(), the call succeeds [if Delegated rights for Sites.Read.All is assigned]. The Azure AD registered app has admin approved Application-scoped Sites.Read.All assigned to it.

            var queryOptions = new List<QueryOption>()
            {
                new QueryOption("search","*")
            };

            var sites = await graphServiceClient.Sites.Request(queryOptions)
                .WithAppOnly()
                .WithScopes("Sites.Read.All")
                .GetAsync();

ServiceException: Code: accessDenied
Message: Access denied
Inner error:
AdditionalData:
date: 2021-03-20T21:45:27
request-id: 16933bd6-5e7f-4820-9563-fec75575c9b2
client-request-id: 16933bd6-5e7f-4820-9563-fec75575c9b2
ClientRequestId: 16933bd6-5e7f-4820-9563-fec75575c9b2
  • Pick up your accessToken, put it in https://jwt.ms and see if you have the Sites.Read.All in `roles` claim. – Shiva Keshav Varma Mar 21 '21 at 12:29
  • Yea, it certainly isn't picking up any Sites.* permission levels. But the AAD app has the rights and the app should be requesting those same rights. I do see Group.ReadWrite.All, which is another API it was granted access to and retrieving Groups works, yet I'm not requesting the permissions differently between Sites and Groups. –  Mar 21 '21 at 17:51
  • FWIW I'm following the documentation at https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#you-can-now-specify-scopes-and-app-permissions-for-graphserviceclient. So while for some odd reason I have Groups.ReadWrite.All, Sites.Read.All, ReadWrite, etc. are not in the token. –  Mar 21 '21 at 18:37

1 Answers1

0

You need to add Sites.Read.All of applicaiton permission in the Azure portal. enter image description here

Note: Click the enter image description here, because this permission is admin consent required.

Try to test with client credentials flow.

// Get access token
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id={client_id}
&scope=https://graph.microsoft.com/.default
&client_secret={client_secret}
&grant_type=client_credentials

// Call MS Graph API
GET https://graph.microsoft.com/v1.0/sites?search={query}
unknown
  • 6,778
  • 1
  • 5
  • 14
  • This isn't the problem as the application already has that (among other) rights. For some reason it is only picking up `Group.ReadWrite.All` and `User.Read`. –  Mar 22 '21 at 15:33
  • @TrevorSeward Have you tried to delete the `.WithScopes("Sites.Read.All")` in your code? When using app permissions, the scope needs to be `https://graph.microsoft.com/.default`. – unknown Mar 23 '21 at 01:35
  • Tried it, unfortunately no change to the Roles. It is still only picking up those two roles. I'd understand if it wasn't picking up any roles, but to selectively pick up just two is really strange. –  Mar 23 '21 at 14:57