Develop Reference

No authorization information present on Microsoft Graph API request

I try to call this API -> https://graph.microsoft.com/v1.0/me/chats
I'm also passed Authorization Bearer token in header but i got below error
{
"error": {
"code": "Forbidden",
"message": "No authorization information present on the request.",
"innerError": {
"date": "2023-01-12T09:37:45",
"request-id": "1975336f-42b0-49a1-8110-a1092f07c130",
"client-request-id": "1975336f-42b0-49a1-8110-a1092f07c130"
}
}
}
I have use this scopes to generate token
user.read Mail.Send Mail.Read Mail.ReadBasic Mail.ReadWrite GroupMember.Read.All Group.Read.All Directory.Read.All Group.ReadWrite.All Directory.ReadWrite.All Chat.ReadBasic Chat.Read Chat.ReadWrite openid profile offline_access
I have use this endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token for acquire token
By using generated token I'm able to send mail , receive mail and etc but not able to call /chats api and other microsoft teams api
What should i do to get successful response from https://graph.microsoft.com/v1.0/me/chats API.
I got this scope in token authorized response
enter image description here

I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
I generated the access token using Authorization Code Flow.
Generated Access token using below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/Chat.ReadWrite
&state=12345
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/Chat.ReadWrite
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
To get the chat, I used the below query:
https://graph.microsoft.com/v1.0/me/chats
If still the issue persists, check if the licenses are assigned to the user.
Reference:
Get chat - Microsoft Graph v1.0 | Microsoft Learn

Error "AADSTS50076" while getting the User Access Token

I am trying to get the user access token for accessing Graph APIs from the node.js code.
My Request:
POST https://login.microsoftonline.com/<AD-Tenant-Id>/oauth2/v2.0/token
client_id: <application ID>
client_secret: <secret string>
scope: User.Read
response_type: "code"
grant_type: "password"
username: <user email>
password: <user password>
I get error:
AADSTS50076: Due to a configuration change made by your administrator,
or because you moved to a new location, you must use multi-factor authentication to access....
I am using postman for testing the request.
In my AD I have multi-factor authentication disabled.
And "Security Defaults" are set to "enable".
If I "disable" the "Security Defaults", then I am able to get the token.
Is there a way I can keep the "Security Defaults" enabled and get the token, without the user interaction?

You can try out Get access on behalf of a user , ref doc - https://learn.microsoft.com/en-us/graph/auth-v2-user#3-get-a-token
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=11111111-1111-1111-1111-111111111111
&scope=user.read%20mail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=jXoM3iz...
Hope this will help.

Azure AD app with Application.ReadWrite.OwnedBy cannot add more owners to apps it created

I have an AAD app that creates other AAD apps. The first app (creator) has right Application.ReadWrite.OwnedBy and is able to update display names of the apps it created but it is not able to add more owners on those apps. Does it need more privileges to do that?
HTTP request updating the created-app display name (succeeds):
PATCH https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/applications/a1236923-6de6-4e78-87dd-494d621fc20c?api-version=1.6 HTTP/1.1
Authorization: Bearer eyJ0eXAi...
Content-Type: application/json; charset=utf-8
Host: graph.windows.net
Content-Length: 45
Expect: 100-continue
{
"displayName": "test"
}
HTTP request adding an owner to the created-app (fails):
POST https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/applications/a1236923-6de6-4e78-87dd-494d621fc20c/$links/owners?api-version=1.6 HTTP/1.1
Authorization: Bearer eyJ0eXAi...
Content-Type: application/json; charset=utf-8
Host: graph.windows.net
Content-Length: 122
Expect: 100-continue
{
"url": "https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/users/ac990eb3-b25a-4e06-ade5-41c7613693ff"
}
HTTP/1.1 403 Forbidden
request-id: 9be47e62-abcd-4768-926f-ffd62544e696
client-request-id: 149115f6-c9b7-4dd4-a267-711a40c51f23
...
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
I verified that the creator app does indeed have Application.ReadWrite.OwnedBy in the roles array of the JWT Bearer token.
I also verified that the creator app is present in the owner list of the created app by calling GET https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/applications/a1236923-6de6-4e78-87dd-494d621fc20c/owners/64898a3a-2fb1-45f0-a514-e83fabbc01f2.

In general, in order to add an owner, the calling app (and the calling user, in the case of delegated permissions, though in this case it's an app only) needs to have the permission to read the object of the owner being added, as well as the permission to read and write to the object which is being given a new owner.
Thus, in order for an app to add a User object as an owner to an Application object that the calling app is itself an owner of, the app needs (at least) Directory.Read.All (to read the new owner's User object), and Application.ReadWrite.OwnedBy (to be able to write to the Application object's list of owners).

According to your error message, you do not have enough privileges. As far as I known, if you want to assign user to AAD Application with Application privileges, you need to have these privileges : Application.ReadWrite.OwnedBy and Directory.Read.All, Application.ReadWrite.All and Directory.Read.All.
Besides, Microsoft strongly recommends that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. For more details, please refer to the article. If you want to use Microsoft graph api to assign user to AAD Application, please refer to the document.

Client Credential Gran Type Not Support with a Custom B2C Policy

I am trying to generate an access token from our policy but I am getting this error.
AADB2C90086: The supplied grant_type [client_credentials] is not supported.
This is a sample postman request
POST /{tenant}/oauth2/token?p=B2C_1A_SignUpOrSignInWithAAD HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=client_credentials&client_id={client_id}&resource=https%3A%2F%2F{app_url}&client_secret={client_secret}
but it works fine if I don't use our custom policy and just go direct to the B2C tenant
POST /{tenant}/oauth2/token?api-version=1.0
... same as above
Is there something missing in our custom policy?

B2C does not support the Client Credential Flow. Additional details are here. And here Daemons/server-side apps.
but it works fine if I don't use our custom policy
That's because you getting a token from Azure AD, not B2C.

InvalidAuthenticationToken - CompactToken parsing failed with error code: -2147184105

I am using V1 in order to have a token from Microsoft REST API. (We have Office 365 tenant and I used to successfully get all resources without any problem but not anymore.
clientId =8a67......de4b6
clientSecret =J58k8....5EU=
redirectUri =http://example.com...
resourceUrl =https://graph.microsoft.com
authority = https://login.microsoftonline.com/f02633....a603/oauth2/token
https://login.microsoftonline.com/f0263...0be3/oauth2/authorize?client_id=8a6..b6&redirect_uri=http://example.com&response_type=code&scope=mail.read
It gave me a token structured as follows on JWT. It says invalid signature but not sure what is wrong.
Once I have the token, I tried the following curl call
curl -i https://graph.microsoft.com/v1.0/me/messages -H 'Content-Type: application/x-www-form-urlencoded' -H 'Authorization: Barer eyJ.[TOKEN]...UNa6nfw'
Instead of the messages, I received the following error:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8Cl23
Server: Microsoft-IIS/8.5
request-id: af2390b1-a9b...5ab9
client-request-id: af2390,....a615ab9
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"SliceA","ScaleUnit":"000","Host":"AGSFE_IN_4","ADSiteName":"WST"}}
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 23:55:43 GMT
Content-Length: 268
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: -2147184105",
"innerError": {
"request-id": "af2390b1-...5ab9",
"date": "2017-01-19T23:55:44"
}
}
}
I looked at similar questions on SO but couldn't find any solution.

First, the Barer of authorization header is a typo. The correct parameter should be like authorization: bearer {access_token}.
Second, it seems that you were mixing using the Azure V1.0 endpoint and V2.0 endpoint. If you were developing with V1.0 endpoint which apps were resisted from Azure portals, when we acquire the access token we need to specify the resource parameter instead of scope.
The scope parameter is used for Azure V2.0 endpoint which apps are resisted from here.
And the authorization endpoint for Azure AD likes below:
V1.0:
https://login.microsoftonline.com/{tenant}/oauth2/authorize
V2.0:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
More detail about the code grant flow with Azure AD, you can refer links below:
Authorize access to web applications using OAuth 2.0 and Azure Active Directory
v2.0 Protocols - OAuth 2.0 Authorization Code Flow