question

GillesT-8412 avatar image
0 Votes"
GillesT-8412 asked ·

How to retrieve a correct token to request Reports on Graph

Hello

I have registered an apps with Reports.Read.All permissions with delegation and Admin Consent
I try to retrieve reports (email, onedrive, ...), but I don't succeed. The token retrieved nerver contains the permission Reports.Read.All

$credentials = Get-Credential

$Uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$Body = @{
grant_type = "client_credentials"
client_id = $ClientId
client_secret = $ClientSecret
scope = 'https://graph.microsoft.com/.default'
redirect_uri = 'https://localhost/'
username = $credentials.GetNetworkCredential().username
password = $credentials.GetNetworkCredential().password
}
$AuthResult = Invoke-RestMethod -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body

The token has insuffisant rights to call https://graph.microsoft.com/v1.0/reports/getEmailActivityUserDetail(period='D7')

Where is the problem ?

Regards
Gilles

azure-ad-graphazure-ad-powershell
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered ·

The reason you're getting this error is because you're utilizing the client credential flow which only gets application permissions because it's on behalf of the service principal. In order to get an access token with the delegated permission, you'll need to utilize a different flow. For more information on how to do this utilize take a look at the powershell and ADAL/MSAL libraries : https://github.com/shawntabrizi/Azure-AD-Authentication-with-PowerShell-and-ADAL

And for more information on the different kinds of permissions take a look at : https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GillesT-8412 avatar image
0 Votes"
GillesT-8412 answered ·

Hello

Thank you for you response
I have tryied to connect like you suggest using RESTwithAppKey.ps1
In the token, I retrieve less roles than with my previous try.
Do you I have to use a different method to retrieve the tokent ?

Regards
Gilles

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.