How to retrieve a correct token to request Reports on Graph

Gilles T 1 Reputation point
2019-12-12T14:50:19.113+00:00

Hello

I have registered an apps with Reports.Read.All permissions with delegation and Admin Consent
I try to retrieve reports (email, onedrive, ...), but I don't succeed. The token retrieved nerver contains the permission Reports.Read.All

$credentials = Get-Credential

$Uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$Body = @{
grant_type = "client_credentials"
client_id = $ClientId
client_secret = $ClientSecret
scope = 'https://graph.microsoft.com/.default'
redirect_uri = 'https://localhost/'
username = $credentials.GetNetworkCredential().username
password = $credentials.GetNetworkCredential().password
}
$AuthResult = Invoke-RestMethod -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body

The token has insuffisant rights to call https://graph.microsoft.com/v1.0/reports/getEmailActivityUserDetail(period='D7')

Where is the problem ?

Regards
Gilles

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,100 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. FrankHu-MSFT 976 Reputation points
    2019-12-12T22:23:18.207+00:00

    The reason you're getting this error is because you're utilizing the client credential flow which only gets application permissions because it's on behalf of the service principal. In order to get an access token with the delegated permission, you'll need to utilize a different flow. For more information on how to do this utilize take a look at the powershell and ADAL/MSAL libraries : https://github.com/shawntabrizi/Azure-AD-Authentication-with-PowerShell-and-ADAL

    And for more information on the different kinds of permissions take a look at : https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent

    0 comments No comments

  2. Gilles T 1 Reputation point
    2019-12-17T16:18:59.997+00:00

    Hello

    Thank you for you response
    I have tryied to connect like you suggest using RESTwithAppKey.ps1
    In the token, I retrieve less roles than with my previous try.
    Do you I have to use a different method to retrieve the tokent ?

    Regards
    Gilles

    0 comments No comments