Azure B2C: Microsoft Graph API - InvalidAuthenticationToken - azure-active-directory

I'm trying to call /me on the Microsoft Graph API after logging into an Azure B2C Active Directory from iOS.
Using the sample application at: https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msa I've replaced the constants such that sign-up and sign-in work. I've set the kGraphURI to https://graph.microsoft.com/v1.0/me. The code looks like this:
let kTenantName = "mytenant.onmicrosoft.com"
let kAuthorityHostName = "mytenant.b2clogin.com"
let kClientID = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
let kSignupOrSigninPolicy = "B2C_1A_signup_signin"
let kGraphURI = "https://graph.microsoft.com/v1.0/me"
let kScopes: [String] = ["https://mytenant.onmicrosoft.com/api/user_impersonation"]
The value for kScopes is set to the only API my application has available, which was created as part of the instructions for setting up user policies.
When I try to call https://graph.microsoft.com/v1.0/me I get back:
{ "error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "e923673f-25cb-44be-b3b9-94eda660d4f6",
"date": "2020-02-11T08:31:24"
} } }
If I try to set kScopes to https://graph.microsoft.com/User.Read I get an error:
Could not acquire token: Error Domain=MSALErrorDomain Code=-50000
"(null)" UserInfo={MSALErrorDescriptionKey=Authentication response
received without expected accessToken,
MSALInternalErrorCodeKey=-42008,
MSALCorrelationIDKey=FFCCD1D4-F0C8-46E6-85B2-A5642F1D4E1D}
How do I call the /me Microsoft Graph API with an access token from Azure B2C Active Directory?

You cannot use the Azure AD B2C issued access tokens to call Azure AD or Microsoft Graph API. You must have the user call your API, and your API needs to use client_credentials to obtain a token for Graph API using the Azure AD token endpoint of your B2C directory. Then the API can query Graph API for the user and return the result.
Azure AD B2C access tokens can only be used to access your own protected resources.

Related

No authorization information present on Microsoft Graph API request

I try to call this API -> https://graph.microsoft.com/v1.0/me/chats
I'm also passed Authorization Bearer token in header but i got below error
{
"error": {
"code": "Forbidden",
"message": "No authorization information present on the request.",
"innerError": {
"date": "2023-01-12T09:37:45",
"request-id": "1975336f-42b0-49a1-8110-a1092f07c130",
"client-request-id": "1975336f-42b0-49a1-8110-a1092f07c130"
}
}
}
I have use this scopes to generate token
user.read Mail.Send Mail.Read Mail.ReadBasic Mail.ReadWrite GroupMember.Read.All Group.Read.All Directory.Read.All Group.ReadWrite.All Directory.ReadWrite.All Chat.ReadBasic Chat.Read Chat.ReadWrite openid profile offline_access
I have use this endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token for acquire token
By using generated token I'm able to send mail , receive mail and etc but not able to call /chats api and other microsoft teams api
What should i do to get successful response from https://graph.microsoft.com/v1.0/me/chats API.
I got this scope in token authorized response
enter image description here
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
I generated the access token using Authorization Code Flow.
Generated Access token using below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/Chat.ReadWrite
&state=12345
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/Chat.ReadWrite
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
To get the chat, I used the below query:
https://graph.microsoft.com/v1.0/me/chats
If still the issue persists, check if the licenses are assigned to the user.
Reference:
Get chat - Microsoft Graph v1.0 | Microsoft Learn

Trying to use Graph API to get user's channels and post messages to MS Teams Channel from Web App

I'm trying to write a web app on our website which gets a User's MS Team channels and then posts a message to a channel of their choosing using MS Teams Graph API.
I'm about to get an access token using the OAuth API, and I'm passing access token (AAD token) to the /me/joinedTeams endpoint, it's giving me the below error:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"date": "2021-05-14T20:57:03",
"request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806",
"client-request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806"
}
}
}
Screenshot of my Graph Explorer results
UPDATE:
I have gotten my account converted to a Work account, and added the permissions. Now I am getting this response/error:
Screenshot of new Graph Explorer results
It's better for you to share how to get an access token using the OAuth API. In this issue , it seems your signed-in user is a personal Microsoft account, that's not supported to access the /me/joinedTeams endpoint. Doc of this API.
There are some notes here:
When using Graph Explorer, access token is here after login. You don't need to add bearer token in Request headers.
You have to sign in with a work or school account, and you need to consent one of the required permissions in "modify permissions(Preview)".

Create Microsoft teams meeting through API

In Azure Active Directory I've registered a new app and given it the Read and create online meetings permissions. I've granted admin consent for the permission and now I'm trying to create a meeting through the command line.
I generated a client secret for the app.
Then I'm requesting a access token using my tenant GUID, client ID of the app and client secret I generated. This gives me back a jwt. When I decode the JWT amongst the roles I can see "OnlineMeetings.ReadWrite.All" which gives me hope that I can actually create meetings using this bearer token.
I then send a POST request to https://graph.microsoft.com/v1.0/users/<my-user-guid>/onlineMeetings
with the following body:
{
"startDateTime":"2021-03-16T14:33:30.8546353-07:00",
"endDateTime":"2021-03-16T15:03:30.8566356-07:00",
"subject":"Application Token Meeting",
"participants": {
"organizer": {
"identity": {
"user": {
"id": "<my-user-guid>"
}
}
}
}
}
and the response comes back with
"code": "Forbidden",
"message": "Application does not have permission to Create online meeting on behalf of this user.",
Am I missing something?
Edit:
As some of the comments have suggested I should create an application access policy. So I'm following the documentation which asks me to Connect using admin credentials
When i run Connect-MicrosoftTeams -Credential $userCredential with my account it fails with the following error:
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed
Connect-MicrosoftTeams: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: : Unknown error
But this is what is confusing me. I don't really know if I'm trying to login with the correct account. I'm using my personal account on azure which is (afaik) not a business account with skype for business.
I'm running the commands to log in on the azure portal's PowerShell interface. Am I supposed to run this on my local machine instead?
I think I'm not fully understanding what all of the moving parts are that need configuration.
Can I add those application Access Policies in the azure portal interface somewhere?
According to the api documentation, make sure you grant the OnlineMeetings.ReadWrite.All application permission to the application. Then you need to use the client credential flow to obtain an access token.
Please note that when you create an online meeting with an application token, administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).

Getting powerbi embed token 403 Forbidden

I'm trying to get an embed token for power bi embedded.
I'm using 'App owns data' embed scenario.
I first get the access token of Azure AD and use it as Bearer token when calling embed token
Here is my Postman request details:
https://api.powerbi.com/v1.0/myorg/groups/{groyupid}/dashboards/{dashboardid}/GenerateToken
Request body
{accessLevel:"View"}
In authorization section I added the access token.
I received a 403 Forbidden response.
Here how I get the access token
I noticed that there is also another url to get token : https://login.microsoftonline.com/common/oauth2/token
What is the difference between the one with tenant id in the url
Then permissions for the AAD PowerBI application
Update
Thanks for the help I get another 404 not found error now
{
"error": {
"code": "PowerBIEntityNotFound",
"pbi.error": {
"code": "PowerBIEntityNotFound",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}
For information I have added permission in PBI admin portal to pbireportingGroup an Azure security group that I created. ( as mentionned in docs )
Then I added to this group the AAD as member
Is that what should I do ?
403 means that your access token doesn't have the required permissions.
And you need to add the master account and service principal as the owner of the group / workspace (it may take 15 minutes to take effect).
UPDATE:
Now that you are using client credential flow, you should set application permissions:
And the resource in the request body should be https://analysis.windows.net/powerbi/api/.
Besides, you need to add the service principal as the admin of this workspace in Azure AD. (enter the name of your Azure AD app, and it will recognize its client id)

Call Microsoft Graph API to get user in Azure AD B2C

I have an android application that uses Azure AD B2C. Users can sign up using local account/email. Once the user logs into the android application, I'm trying to call the Microsoft Graph API to get the signed-in users details (specifically the Graph API UPN of the user, which is different than the UPN in Azure ad B2C).
The API call I'm trying to make is: https://graph.microsoft.com/v1.0/me
I added the bearer auth token I receive when the user logs in.
However, I receive the following error:
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"date": "2020-06-17T06:11:32",
"request-id": "b4e9757e-60d9-453f-820d-9f817831aa0c"
}
}
}
Any idea what I can do to get the user's Graph API UPN? Appreciate the help!
This error occurs when the token used is invalid. If you want to get the logged-in user information, you can request the API at here.
Don't forget to grant administrator consent for this permission,please checkhere.
Update
For Azure b2c users, it is currently not possible to call the Graph API.https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/526

Resources