question

JulianMehnle-3895 avatar image
0 Votes"
JulianMehnle-3895 asked DanKershaw-5643 commented

`GET /v1.0/users` request gives 302 redirect with no `Location` header

When I make an authenticated request to https://graph.microsoft.com/v1.0/users, I get an empty 302 response with no Location header. What does this mean?

$ curl --raw -i -H"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkpFbHFhT3FJRDNuQzZrMktucEMtajhSZFI4T2lRakNKVGgtX0Z4OUZMd1kiLCJhbGciOiJSUzI1NiIsIng1dCI6IkRxVXU4Z2YtbkFnY3lqUDMtU3VwbE5BWEFuYyIsImtpZCI6IkRxVXU4Z2YtbkFnY3lqUDMtU3VwbE5BWEFuYyJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xNDk5ODlkNi02NThkLTQwM2EtOWZjZi1kY2M0Yzg5YjgzMDkvIiwiaWF0IjoxNjI5OTM1MTQ1LCJuYmYiOjE2Mjk5MzUxNDUsImV4cCI6MTYyOTkzOTA0NSwiYWlvIjoiNDJSZ1lEaWgvODFVUkhPajFBT2I2OUlTTHphcEFBQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJBbHRpdHVkZSBOZXR3b3JrcyIsImFwcGlkIjoiNWJlYzUxODktMTU4MS00MGU2LWE1YWItZmUzZGZhY2RjMTk1IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTQ5OTg5ZDYtNjU4ZC00MDNhLTlmY2YtZGNjNGM4OWI4MzA5LyIsImlkdHlwIjoiYXBwIiwib2lkIjoiOWM2YWNlY2QtNWNlOS00NDgxLTg3YjQtNjJmZmYxMTI2MjBmIiwicmgiOiIwLkFBQUExb21aRkkxbE9rQ2Z6OXpFeUp1RENZbFI3RnVCRmVaQXBhdi1QZnJOd1pVQkFBQS4iLCJzdWIiOiI5YzZhY2VjZC01Y2U5LTQ0ODEtODdiNC02MmZmZjExMjYyMGYiLCJ0ZW5hbnRfcmVnaW9uX3Njb3BlIjoiVVNHb3YiLCJ0aWQiOiIxNDk5ODlkNi02NThkLTQwM2EtOWZjZi1kY2M0Yzg5YjgzMDkiLCJ1dGkiOiJoTV9HU2J0Z1cwT3FFclR5RXNjRUFBIiwidmVyIjoiMS4wIiwieG1zX3RjZHQiOjE1OTg2NDkyMTB9.lMGJtkKymVRvtAwaHOlptSJQ6AFBYohO6CB3meV8Y0Hsq9mC8TRcAaobckHJ5n9jfYMKEwvWkzYwmuu1eYCNUVVRoq-KUpQDhtSlWrVo9ITG55apZSoHxSLVfdzXD-gza3eNozDCNZPlTD3gUdw4AYjGiwkoHg_G57KSG6FP40BoGt4Hpo8l7dkS_95YJxyFEBb19exHcDn9N0QqQOWXziBLbri5FKY02U_IvbRBRKFaxbD3jFWKcC_59RCpUibM8gaJwN0TQPKutltlE-ePWp3PUC216Rfqzzk46musNMgDScxWX-1odZhzwv7y5z3eGLi_QqazcHE8L1x8rU3K4A" https://graph.microsoft.com/v1.0/users

HTTP/1.1 302 Found
Date: Wed, 25 Aug 2021 23:53:50 GMT
Cache-Control: no-cache
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
request-id: 0b545c94-873b-47f2-a4de-16a15ec17ffe
client-request-id: 0b545c94-873b-47f2-a4de-16a15ec17ffe
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"BY1PEPF000023C6"}}

0
microsoft-graph-users
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How did you get your token? Your token does not seem to have permission. Have you granted User.Read.All permission to your application? In addition, can you provide complete script?

0 Votes 0 ·

@JulianMehnle-3895 Would you please provide us with an update on the status of your issue?

0 Votes 0 ·

1 Answer

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered DanKershaw-5643 commented

I wrote a power shell script for you. I used the client credential flow to get the token, and then called the https://graph.microsoft.com/v1.0/users endpoint to list the all AAD users.

Before that, you need to grant User.ReadWrite.All application permissions to the application and grant administrator consent.

 Connect-AzureAD
    
 $clientID = 'f212af58-f976-4bc5-be9d-7ae5ded6fe7c'
 $secretKey = 'SDSOOIsVBH13KE6uO6GCw0~~_.nVcZ3oHW'
 $tenantID = 'e4c9ab4e-bd27-40d5-8459-230ba2a757fb'
    
 $password = ConvertTo-SecureString -String $secretKey -AsPlainText -Force
 $credential = New-Object System.Management.Automation.PSCredential($ClientID,$password)
 Connect-AzureRmAccount -ServicePrincipal -Credential $credential -Tenant $tenantID
    
 $authUrl = "https://login.microsoftonline.com/" + $tenantID + "/oauth2/v2.0/token/"
 $body = @{
    "scope" = "https://graph.microsoft.com/.default";
    "grant_type" = "client_credentials";
    "client_id" = $ClientID
    "client_secret" = $secretKey
 }
    
    
 $adlsToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body
    
    
 $Headers = @{
     'Authorization' = "Bearer $($adlsToken.access_token)"
 }
    
 $Result = Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/users' -Headers $Headers
    
 Write-Output $Result


127859-image.png



If an Answer is helpful, please click "Accept Answer" and upvote it.




image.png (108.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Apologies for the late response. Alas, the User.Read.All permission is granted and Admin consent was given, and yet we're getting this 302 response. So it doesn't seem like a permissions problem.

0 Votes 0 ·

Missed this - so apologies. Can you repro this again and post the client-request-id and timestamp and we can take a look at the logs...
This is very unusual and I've not seen this before.

0 Votes 0 ·