Python MSAL - admin consent required error, when consent is already given - azure-active-directory

I am trying to request the Directory.Read.All scope using Microsoft's MSAL library & retrieve a valid access/refresh token pair with the acquire_token_by_authorization_code function.
I ask an organization's admin to consent to the above application permission with the /adminconsent endpoint (and have confirmed that permissions have been granted - see screenshot below). However, when trying to retrieve an access token with the Directory.Read.All scope, I get the following error:
{'error': 'invalid_grant', 'error_description': "AADSTS65001: The user or administrator has not consented to use the application with ID 'XXX' named 'XXX'. Send an interactive authorization request for this user and resource [...]'suberror': 'consent_required'}
Not exactly sure how this can be the case - as the permission is clearly granted. I have tried resetting the token cache by removing all MSAL accounts, but doubt this is the root of the issue, as the actual step that fails is converting an authorization code to access token.
Thanks for any help!

I can reproduce your error:
If you use the auth code flow to obtain an access token, you should grant delegated permissions, because this is a authorization flow with user interaction, so try to grant Directory.Read.All delegated permissions, and then grant admin consent for the permissions.

Related

Permissions required for graph beta synchronization endpoint

I'm trying to use a Service Principal and the ms graph api to call the beta synchronization/jobs/ endpoint but get a 401 Unauthorized error.
Now I know in the documentation it says I need the Application.ReadWrite.OwnedBy or Directory.ReadWrite.All scopes, but I would rather use role permissions assigned to the Service Principal to keep access more granular.
I've assigned the Principal to the application administrator role, this allows me to access https://graph.microsoft.com/beta/servicePrincipals/{object-id}/ but when I try https://graph.microsoft.com/beta/servicePrincipals/{object-id}/synchronization/jobs/ I get a 401 code with
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-06-28T14:35:44",
"request-id": "5c5532e5-b506-475b-b926-8b3ec36525d7",
"client-request-id": "5c5532e5-b506-475b-b926-8b3ec36525d7"
}
}
}
Is there some role permission I'm missing or is this endpoint not compatible with role permissions yet? Or most likely am I being silly and missing something?
I've tried using the golang adal package and the az account get-access-token --resource https://graph.microsoft.com command to get a token.
I can access this endpoint when authenticated as my AAD user with Global admin role.
The application permission of Microsoft Graph cannot be completely replaced by directory role permissions. They cannot replace each other.
Generally speaking, the permissions of the AAD Graph and the directory role permission have a certain overlap. But Microsoft Graph is not.
Please use Application permission Application.ReadWrite.OwnedBy or Directory.ReadWrite.All in this case.
I was able to get it to work by adding following Microsoft Graph API permission Application.ReadWrite.All & Directory.ReadWrite.All for application which I used to authenticate and get Access_token.
Working API permission on my lab:
If any of these two permission missing then expected to get (401) Unauthorized same as you.

Can't access to power bi api from ROPC

I try to get reports from power bi api. There is app with permissions, enter image description here. My request enter image description here. If i insert "openid" to scopes or any of Microsoft Graph scopes, request return access token. This token dont let me access to reports. If i insert "Report.Read.All" or any of Power BI scopes, i recieve invalid_grant error: 'The user or administrator has not consented to use the application with ID named 'Интеграция с Битрикс24'. Send an interactive authorization request for this user and resource.'. Request from error message was send was sent by me many times. enter image description here. Please tell me what could be the mistake. What setting could I forget?
need to insert full url scope in request body to access power bi token. https://analysis.windows.net/powerbi/api/Report.Read.All instead of Report.Read.All
I could help you with an alternative where you can update the Graph Client to a Newer version. The admin of the subscription can grant the consent through the portal as shown below from Home > App > API Permissions.
We have done the following steps:
Using the following Steps:
Revoke all admin consent.
Remove all permissions
Add removed permissions back.
Grant admin consent.
Here is the Microsoft Document which you can refer to : Construct the URL for granting tenant-wide admin consent

Getting 401 Unauthorized for plan when using daemon API

I am using a daemon auth API and I am able to get /groups but if try and use /groups/GROUPID/planner/plans I get a UnknownError and the message says
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials
that you supplied.
I have Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All permissions as per the documentation. And I am using the https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0 (Get access without a user
) steps to get my token. I have got my administrator to click the Grant access (they are all "Granted").
Only planner stuff seem to be the issue (I can get, create, delete groups, and everything else) I am using v1.0 of the API and I tried beta both didn't work.
I checked my access token on jwt and it has
"roles": [
"Group.Read.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"Directory.Read.All"
],
Which I assume means they are all there.
You are using client credentials flow which uses application permission. But GET /groups/{group-id}/planner/plans api doesn't support application permission. It needs delegated permissions. See the difference here.

Not able to get access_token for Microsoft Graph API OAuth 2.0 using username & password

I am trying to get access_token using
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
endpoint using username and password where tenant = {some tenant id}
The parameters that I am using to make the request are:
client_id:{client_id}
scope:https://graph.microsoft.com/Calendars.ReadWrite
client_secret:{client_secret}
username:{username}
password:{password}
grant_type:password
I am getting the following error in response:
error: invalid_request
error_description : AADSTS90002: Tenant '' not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.
I have the following permissions for my application available on Azure:
The documentation for this is available here : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
On my side, it works. You should check your tenant whether your application is registered in this tenant.
I solved this issue by purchasing a subscription and adding my user as an administrator.
After that, I added two permissions to my application to get the delegate access for using ROPC (Resource Owner Password Credential)authentication method and granted them with the administrator consent.

Azure AAD and Graph API: Insufficient privileges to complete the operation

Context: I've a console app which wants to use Graph API to talk to AAD to check if a particular userId exists in the tenant or not.
I've been following the guidelines here: https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
I'm able to generate a token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=x
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=x
&grant_type=client_credentials
But when I call the graph API I get this ERROR:
https://graph.microsoft.com/v1.0/users/12345678-73a6-4952-a53a-e9916737ff7f
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "x",
"date": "x"
}
}
}
My AAD App has all the permissions from:
1. Microsoft Graph
2. Windows Azure Active Directory
I tried changing the scope to
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
But this is the error I get while generating token:
The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/user.read is not valid.
I've tried combinations of "User.Read", "User.Basic.Read", etc. but nothing works.
The most likely reason why this is not working is because the permission which you have configured your app registration to require have not actually been granted by an administrator of your organization.
In your code, your app is authenticating as an application only. There is no signed-in user involved, and it requires your app to use and keep confidential a key used to authenticate (the client_secret parameter).
In this scenario, requesting the scope https://graph.microsoft.com/.default is the correct approach. What you're saying to Azure AD is: "please provide an access token for all the application permissions this app has been granted". Requesting the scope https://graph.microsoft.com/User.Read is not the correct approach because there is no application permission with that name.
Does the app you created have delegated permissions or application permissions to that scope?
Most likely the former. Delegated permissions don’t apply to client credentials flow.

Resources