question

LoganY87 avatar image
0 Votes"
LoganY87 asked

Getting MS Graph calendar events with Azure AD authentication

I'm trying to get my calendar events out of MS Graph. I'm looking to get all the events for the day and update on regular intervals to reflect changes to the calendar.

I've been trying to use MSAL and the associated libraries for Graph in .net core but that's been going about as well as what I've got going in this post from Postman so I thought it might be worthwhile now to break it down to the simplest implementation I can think of and work from there.

 var form = new FormData();
 form.append("grant_type", "client_credentials");
 form.append("client_id", "redacted");
 form.append("client_secret", "redacted");
 var settings = {
   "url": "https://login.microsoftonline.com/<tenant_id>/oauth2/token",
   "method": "GET",
   "timeout": 0,
   "headers": {
     "Content-Type": "application/x-www-form-urlencoded",
     "Cookie": "fpc=Ah_P6jijvE5KmU4A_TsujaRPsQKSAQAAAGdFSdgOAAAA; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd"
   },
   "processData": false,
   "mimeType": "multipart/form-data",
   "contentType": false,
   "data": form
 };
 $.ajax(settings).done(function (response) {
   console.log(response);
 });

The token generates fine but when I try to use it to query MS Graph, it fails saying Access token validation failure. Invalid audience.

 var settings = {
   "url": "https://graph.microsoft.com/v1.0/me/events",
   "method": "GET",
   "timeout": 0,
   "headers": {
     "Authorization": "Bearer my_token_string_goes_here"
   },
 };
 $.ajax(settings).done(function (response) {
   console.log(response);
 });


As far as I can figure this token should work but I'm at a loss. I thought it wasn't the correct endpoint to be getting a token for Graph from but that doesn't seem to be the issue.

Can anyone assist?

Thanks in advance!





azure-active-directorymicrosoft-graph-calendar
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
0 Votes"
michev answered sikumars commented

You seem to be getting a token for the client credentials flow, where you run in the context of an application. Thus you cannot use the /me endpoint, try /user/user@domain.com/events instead. And of course make sure the correct permissions are returned in the token, you can decode it via jwt.ms or similar.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks so much! I feel like that's progress already!

I can decode the token, but which values in the payload hold the permissions?

I have set the permissions on the application in Azure for Calendars.Read and Calendars.ReadWrite - those are the ones the Graph Explorer uses for this particular request (only that uses /me/events in the request.

So now the error has changed to "The token contains no permissions, or permissions can not be understood." This error persists even if I grant admin consent on the domain.

Clearly, I'm not doing the same thing that Graph Explorer is doing but since that works, it's the behavior I'm trying to match. I'm just not seeing all the steps along the way...

0 Votes 0 ·

Graph explorer uses the delegate permission model, meaning it runs in the context of a user and you can leverage the /me endpoint. When using a client secret, you cannot.

The permissions are listed under the "scp" claim. To access other people's calendars (or when running in the app permissions model) you'll need Calendars.Read (same name, but added under the Application permissions tab and requires admin consent).

0 Votes 0 ·

You're a diamond! I've been struggling with this for so long but there's tons of documentation & it's a mess in my head.

Having added the permissions to my app, I'm not getting an scp claim on the token so it's 100% accurate that the token contains no permissions.

So what am I missing?

I'm using the following for reference on getting the token:
docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token


0 Votes 0 ·
Show more comments