question

HimeshaPrabhakaraWijekoon-5089 avatar image
0 Votes"
HimeshaPrabhakaraWijekoon-5089 asked saldana-msft edited

Cannot get photo of a guest user using Graph API

Hello,

I get following error when I want to get the photo of a guest user in Azure AD B2B with the following API endpoint.

https://graph.microsoft.com/v1.0/me/photo/$value

 { "error": { "code": "UnknownError", "message": "{\"error\":{\"code\":\"NoPermissionsInAccessToken\",\"message\":\"The token contains no permissions, or permissions can not be understood.\",\"innerError\":{\"oAuthEventOperationId\":\"d1451a47-99dc-4520-9843-c25acd96983e\",\"oAuthEventcV\":\"sgkZYEAJdECPUS7GIdvSaQ.1.1\",\"errorUrl\":\"https://aka.ms/autherrors#error-InvalidGrant\",\"requestId\":\"ead1dead-7dd7-42f4-8d5d-90efe84e0258\",\"date\":\"2021-03-15T17:33:56\"}}}", "innerError": { "date": "2021-03-15T17:33:57", "request-id": "ead1dead-7dd7-42f4-8d5d-90efe84e0258", "client-request-id": "ead1dead-7dd7-42f4-8d5d-90efe84e0258" } } }

I have also given app permissions as below.

77810-image.png

I get the same error in Postman and when calling the above endpoint from my front-end application which is hosted as an app service.

Please note that we have 2 subscriptions. I can use Graph Explorer for the default subscription and get the photo. But I want to use the other subscription (directory) in the application. However this gives above error.

Please also note that I could get profile info, see attached groups and add members to groups via Graph API. It seems only photo is not working.

Please let me know if you need more information.


microsoft-graph-usersazure-ad-b2b
image.png (31.4 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please share the steps you are taking when testing with Postman. We could isolate the issue from there. You may need to get the token differently.

0 Votes 0 ·

Thanks for your reply.

Actually we have a front-end Angular application which uses MSAL library to authenticate user against Azure AD. I login using this front-end app and copy the access token to Postman.

The https://graph.microsoft.com/v1.0/me endpoint works fine with this access token. But https://graph.microsoft.com/v1.0/me/photo/$value endpoint is not working as mentioned in my original post.

I decoded the token using jwt.ms and I can see following scopes as well.

79212-scopes.png

Please let me know if you need more information.


0 Votes 0 ·
scopes.png (15.6 KiB)
FionaMatu-8876 avatar image FionaMatu-8876 HimeshaPrabhakaraWijekoon-5089 ·

Thanks for sharing that info @HimeshaPrabhakaraWijekoon-5089.

pls have a look at the answer below and give it a try, had a problem posting the lengthy answer in comments

0 Votes 0 ·

1 Answer

FionaMatu-8876 avatar image
0 Votes"
FionaMatu-8876 answered

So these are the steps I followed on Postman using the Microsoft Graph collection and I am able to get the profile photo:
1. ensure you have set up Microsoft Graph collection on your postman. Please refer to this short video on how to do so if you haven't yet.
2. open a new tab on Postman and add a GET request as https://graph.microsoft.com/v1.0/me/photo/$value then click on the save button.
3. on the 'save request' dialog box, save the new request under the 'OnBehalf of a User' in the Microsoft Graph collection
4. go to the Authorization tab and click on the 'On Behalf of a User'
5. Click on 'Get New Access Token' then login as a user then click on 'Proceed' after which, click on 'Use token'
6. The dialog box will close then click on send and you should get the profile photo.

Give this a try and let me know how it goes


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.