question

JakeBluhm-1656 avatar image
0 Votes"
JakeBluhm-1656 asked saldana-msft edited

Calls to Microsoft Graph API when using government endpoint does not work, but works for global endpoint?

The software I am creating needs to get Microsoft Teams presence (Available, Busy, Away, etc.) from MS Graph. The company I work for uses the global service, and the software works as expected for my co-workers.

I am testing the deployment of the software and I am running into a problem where calls to MS Graph for US Government to get Microsoft Teams presence fails with the following exceptions:

86928-error3.png



This link (https://docs.microsoft.com/en-us/graph/deployments) explains the difference between MS Graph endpoints, and includes a video that outlines how to make MS Graph calls to users in that end point. The video seems to say that all you need to do to change endpoints is change the MS Graph Api URL and the Login URL.

I will post snippets of code (cannot post full code) that leads to the errors is below. First on application launch, in app.xaml.cs I configure MSAL following this doc (https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-initializing-client-applications)

 private static string InstanceGov = "https://login.microsoftonline.us/";
 private static string Tenant = "common";
   public partial class App : Application
     {
         static App()
         {
             _clientApp = PublicClientApplicationBuilder.Create(ClientId)
                 .WithAuthority($"{InstanceGov}{Tenant}")
                 .WithDefaultRedirectUri()
                 .Build();
             TokenCacheHelper.EnableSerialization(_clientApp.UserTokenCache);
         }
     .
     .
     .
     }

Then the user signs into MS 365, no problems here:

      public async void Sign_In()
         {
             AuthenticationResult authResult = null;
             var app = App.PublicClientApp;
             ////ResultText.Text = string.Empty;
     
    
    
                
    
             var accounts = await app.GetAccountsAsync();
             var firstAccount = accounts.FirstOrDefault();
    
             try
             {
                 authResult = await app.AcquireTokenSilent(scopes, firstAccount)
                     .ExecuteAsync();
    
            
    
    
                 this.ConnectButton.Visibility = Visibility.Collapsed;
                 this.SignOutButton.Visibility = Visibility.Visible;
                 ErrorInfo.Visibility = Visibility.Hidden;
                 Timer1.Start();
    
             }
             catch (MsalUiRequiredException ex)
             {
                 // A MsalUiRequiredException happened on AcquireTokenSilent. 
                 // This indicates you need to call AcquireTokenInteractive to acquire a token
                 System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {ex.Message}");
    
                 try
                 {
                     authResult = await app.AcquireTokenInteractive(scopes)
                         .WithAccount(accounts.FirstOrDefault())
                         .WithParentActivityOrWindow(new WindowInteropHelper(this).Handle) // optional, used to center the browser on the window
                         .WithPrompt(Prompt.SelectAccount)
                         .ExecuteAsync();
    
    
                     this.ConnectButton.Visibility = Visibility.Collapsed;
                     this.SignOutButton.Visibility = Visibility.Visible;
                     ErrorInfo.Visibility = Visibility.Hidden;
    
    
                     Timer1.Start();
                 }
                 catch (MsalException msalex)
                 {
                     ////ResultText.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
                     System.Windows.MessageBox.Show($"Error Acquiring Token:{System.Environment.NewLine}{msalex} "  , "Error",
                         (MessageBoxButton)MessageBoxButtons.OK, (MessageBoxImage)MessageBoxIcon.Error);
    
                     this.ConnectButton.Visibility = Visibility.Visible;
                     this.SignOutButton.Visibility = Visibility.Collapsed;
                     status_light.Fill = Brushes.Black;
                     ErrorInfo.Visibility = Visibility.Visible;
                     ErrorText.Text = "Please Sign in";
                 }
             }
             catch (Exception ex)
             {
                 ////ResultText.Text = $"Error Acquiring Token Silently:{System.Environment.NewLine}{ex}";
    
                 this.ConnectButton.Visibility = Visibility.Visible;
                 status_light.Fill = Brushes.Black;
                 ErrorInfo.Visibility = Visibility.Visible;
                 ErrorText.Text = "Please Sign in";
                 return;
             }
             if (authResult != null)
             {
                 signinstring = "Sign Out";
             }
             //else
             //{
             //    Environment.Exit(0);
             //}
    
                
         }




Next, I make a call to get the Microsoft Teams presence data. This results in an exception in the image above.

  public partial class MainWindow : Window
     {
         //Set the API Endpoint to Graph 'me' endpoint. 
         // To change from Microsoft public cloud to a national cloud, use another value of graphAPIEndpoint.
         // Reference with Graph endpoints here: https://docs.microsoft.com/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints
         string graphAPIEndpoint = "https://graph.microsoft.com/v1.0/me";
         string graphPresenceEndpoint = "https://graph.microsoft.com/v1.0/me/presence"; 
         string graphPresenceEndpointGov = "https://graph.microsoft.us/v1.0/me/presence";
    
    ...
    ...
    ...
    
    void some_function()
    {
       status_string = await GetHttpContentWithToken(graphPresenceEndpointGov , authResult.AccessToken); 
      ... // ^ Throws exception ^
      ...
      ...
    }
 }

The software works only when using the global endpoint, we have confirmed by sending software sample to others outside the company also using global endpoint. When using MS Graph for users not using the global endpoint is there anything I am missing that could be causing this?

office-teams-app-devmicrosoft-graph-teamworkmicrosoft-graph-sdkazure-ad-msal
error3.png (385.8 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding right tags/teams to assist

1 Vote 1 ·

Hi @JakeBluhm-1656, For graph API you need to use https://graph.microsoft.us instead https://login.microsoftonline.us/.
Please follow this documentation.


0 Votes 0 ·

@Mamatha-MSFT Please see the answer below

0 Votes 0 ·

1 Answer

JakeBluhm-1656 avatar image
0 Votes"
JakeBluhm-1656 answered Wajeed-MSFT commented

@Mamatha-MSFT thank you,

The use of https://login.microsoftonline.us/ is taken from this documentation . My understanding is that this step is needed to get a token.

Towards the bottom of my post I do use https://graph.microsoft.us in this line of code:
string graphPresenceEndpointGov = "https://graph.microsoft.us/v1.0/me/presence";

Testing your suggestion with the global endpoint, I changed the following code and got the exception below:

 private static string Instance = "https://graph.microsoft.com";//"https://login.microsoftonline.com/";


  _clientApp = PublicClientApplicationBuilder.Create(ClientId)
                  .WithAuthority($"{Instance}{Tenant}")
                  .WithDefaultRedirectUri()
                  .Build();
              TokenCacheHelper.EnableSerialization(_clientApp.UserTokenCache);

88569-exception.png




exception.png (9.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Could you please change your code to WithAuthority($"{Instance}/{Tenant}")?

0 Votes 0 ·