question

ChrisPeacock-2779 avatar image
0 Votes"
ChrisPeacock-2779 asked ·

Legacy / Azure AD Graph API - App Permissions

Hi

I'm wanting an azure ad application to have the directory.read.all permission scope so it can read the directory.

What URL needs constructing to be able to do this?

Need to be in the legacy graph api

Cheers

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@ChrisPeacock-2779, Inorder to this, you would need to provide the scope parameter with value "directory.read.all" while requesting a code/token from AAD, based on the OAuth flow you are using in your code.

For eg: In case you are using Client Credential Flow of OAuth, then you would need to specify the scope parameter with the value "directory.read.all" and send that request to the /token endpoint of AAD. But, in case you are using Authorization Code Grant Flow, then you need to specify the scope parameter with the value "directory.read.all" and send that request to the /authorize endpoint of AAD.

Note: While using the scope parameter, you would have to make the request to the v2.0 endpoint of AAD.

Sharing the sample requests for Authorization Code Grant Flow of OAuth2.0:

Sample Request 1: https://login.microsoftonline.com/soumimsft.onmicrosoft.com/oauth2/v2.0/authorize?client_id={client ID of the app}&response_type=code&redirect_uri={app's redirect uri}&response_mode=fragment&scope=directory.read.all&state=12345

Note: It should be &scope=directory.read.all in the request after response_mode=fragment. Somehow scope is getting listed as >ope.

Incase you want to use the v1.0 endpoint, then you need to make sure that you have added the permission "directory.read.all" in the app registration's API permissions section and then you can use the request listed below:

Sample Request 2: https://login.microsoftonline.com/soumimsft.onmicrosoft.com/oauth2/authorize?client_id={client ID of the app}&response_type=code&redirect_uri={app's redirect uri}&response_mode=fragment&resource={resource name for which the code is being requested for. Eg: https://graph.microsoft.com}&state=12345&nonce=12345

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.



· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChrisPeacock-2779 avatar image
0 Votes"
ChrisPeacock-2779 answered ·

Thanks

What is the state=12345 doing?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChrisPeacock-2779 avatar image
0 Votes"
ChrisPeacock-2779 answered ·

@soumi-MSFT

I did manage to get this working, I believe. When I use this URL it did ask to log in using an Azure AD admin account, and then it showed a message about what permissions it was about to allow.


https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/oauth2/v2.0/authorize?client_id=CLIENTID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=fragment&scope=directory.read.all&state=12345


However, the same issue occurs.

Let me throw some context here. We are using Environment Variables with Terraform. When we try to retrieve data from Azure AD we see this error. Others have reported this, and the fix was to apply permissions to the Legacy Graph API:

Error: Error listing Service Principals: graphrbac.ServicePrincipalsClient#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-03-16T11:40:19","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":XXXXXXX

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Chris,

It would be great if we can get on a call and so that we can check on this issue while on a call. Inorder to set up the call, please do share the following information in an email to azcommunity'at'microsoft'dot'com.

Tenant ID:
Subscription ID:
Your preferred time (with timezone).

Also, make sure you share the reference of this thread so that its easier for me to pick this up. Once I get the updates from your end, I will set up a call with you and will work further.

0 Votes 0 · ·