question

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ asked ·

reportingservice.activedirectory.windowsazure.com as next link in /activities/signinEvents queries

Hello,

I have an app to get sign-ins from logs /activities/signinEvents. I perform a GET query to graph.windows.net/tenant/activities/signinEvents/ and the next link presented in that response was "https://reportingservice.activedirectory.windowsazure.com/tenant/activities/signinEvents...skipToken=..._1000". I cannot visit that link with my app or graph explorer. My app gets the following error: "AADSTS65001: The user or administrator has not consented to use the application", which is logical because I really do not have the access to reportingservice.activedirectory.windowsazure.com.

So, I would like to know if this next link is presented by design and it is not a bug. How do I have to handle such links then? What kind of permissions do I have to assign to my app?

Thanks in advance!

azure-ad-graphazure-ad-sign-in-logs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KAREDD-MSFT avatar image
0 Votes"
KAREDD-MSFT answered ·

anonymous user Ideally, you should have consented to the directory.read.all permission on behalf of your app which should give you the application required consent. Can you confirm the same?

We strongly recommend using Microsoft Graph API for accessing resources from Azure AD. Azure AD Graph calls will be deprecated in the near future.

Ref: https://docs.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http

https://developer.microsoft.com/en-us/office/blogs/microsoft-graph-or-azure-ad-graph/

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KAREDD-MSFT Well, just in case I have assigned the following Application permissions: - Azure Active Directory Graph (Directory.Read.All) - Microsoft Graph (Directory.Read.All and AuditLog.Read.All)

And I have performed the request directly to https://reportingservice.activedirectory.windowsazure.com/tenant/activities/signinEvents

It has failed with Authentication_ApplicationHasNoDirectoryReadAccess error.

BUT! the request to https://graph.windows.net/tenant/activities/signinEvents was successful

If we change reportingservice.activedirectory.windowsazure.com to graph.windows.net with skipToken=... it works as expected, but I don't really think that swapping resource links is a designed workflow.

0 Votes 0 · ·

And in case of delegated Permissions I got the mentioned above error "AADSTS65001: The user or administrator has not consented to use the application"

0 Votes 0 · ·