Android Graph SDK. Access is denied. Check credentials and try again

Question

question

AlexanderSvarnik-4009 asked Mar 1, '22 JanardhanaVedham-MSFT commented Mar 14, '22

Android Graph SDK. Access is denied. Check credentials and try again

Hello.

Set up Graph SDK for Android as per instructions.
Added SAML - user is authorized and token is present.

Code that calls API:
mClient.me().contacts().buildRequest().async
.thenAccept {
Log.d("TEST", "collection=$it")
}
.exceptionally {
Log.d("TEST", "error=${it.message}")
null
}

Logcat:
E/global: CoreHttpProvider[processResponse] - 493Graph service exception Error code: ErrorAccessDenied
E/global: CoreHttpProvider[processResponse] - 493Error message: Access is denied. Check credentials and try again.
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493GET https://graph.microsoft.com/v1.0/me/contacts
E/global: CoreHttpProvider[processResponse] - 493SdkVersion : graph-java/v5.15.0
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493403 : Forbidden
E/global: CoreHttpProvider[processResponse] - 493[...]
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493[Some information was truncated for brevity, enable debug logging for more details]
E/global: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: ErrorAccessDenied
Error message: Access is denied. Check credentials and try again.

     GET https://graph.microsoft.com/v1.0/me/contacts
     SdkVersion : graph-java/v5.15.0


     403 : Forbidden
     [...]

     [Some information was truncated for brevity, enable debug logging for more details]

Permissions for Application on Azure:

Thank you.

microsoft-graph-profile microsoft-graph-contacts

screen-shot-2022-03-01-at-200404.png (153.3 KiB)

screen-shot-2022-03-01-at-200412.png (161.5 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanardhanaVedham-MSFT · Mar 01 at 06:38 PM

Hi @@AlexanderSvarnik-4009,

Adding relevent tag "microsoft-graph-contacts" to this post.

If the below provided answer is helpful to you, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

0 ·

Answer 1 · 2022-03-01T18:33:18.093Z

JanardhanaVedham-MSFT answered Mar 1, '22

Hi @AlexanderSvarnik-4009,

As you can see below, I am able to replicate the same issue in Graph Explorer Application. As documented in List contacts API , you would have to grant "Contacts.Read" or "Contacts.ReadWrite" micosoft graph permissions to get a contact collection from the default contacts folder of the signed-in user.

Error Replication from Graph Explorer Application without Contacts.Read" or "Contacts.ReadWrite" micosoft graph permissions granted:
Example:

Succesful response in Graph Explorer Application after granting Contacts.Read" micosoft graph permissions :
Example:

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

image.png (68.5 KiB)

image.png (42.3 KiB)

image.png (102.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-03-02T12:00:09.437Z

AlexanderSvarnik-4009 answered Mar 2, '22 AlexanderSvarnik-4009 edited Mar 2, '22

Hi @JanardhanaVedham-MSFT

Thank you for response.

I ran Graph Explorer and see the same error. Based on your response I need to add permissions for Contacts.

Just want to describe how our android app is added:
1. On production corporate tenant A - application was created and registered as we are owner and creator of this app. There is generated Application_ID.
2. On Test tenant B - I have full admin access to Azure and want to make user from tenant B use our app with Contacts access.

Regarding your screenshot ListContacts I can't find a place where to allow Contacts.Read and Contacts.ReadWrite.
I added these permissions at:

This didn't help. Graph explorer still returns the same error.

According to this please help with these questions:
1. Where should I allow Contacts.Read and Contacts.ReadWrite
2. I I should allow this for our application - on what tennant? On Tenant A that is creator of app? Or Tenant B that is using app? On tenant B I couldn't find buttons that will add these permissions. On my original question post I added screenshots from Tenant B and permissions list.

Thank you a lot for helping.

Regards,
Alex.

screen-shot-2022-03-02-at-145230.png (442.7 KiB)

screen-shot-2022-03-02-at-150053.png (200.5 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2022-03-07T14:52:00.437Z

AlexanderSvarnik-4009 answered Mar 7, '22 JanardhanaVedham-MSFT commented Mar 8, '22

Hi @JanardhanaVedham-MSFT

Please answer me, I couldn't find that section to enable permissions.

Regards,
Alex.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2022-03-08T14:09:54.59Z

JanardhanaVedham-MSFT answered Mar 8, '22 JanardhanaVedham-MSFT edited Mar 8, '22

Hi @AlexanderSvarnik-4009 ,

Sorry for the delayed response.

You would need to configure the microsoft graph permissions for the application using which the authentication is being done and the access token is generated. Below are the steps to be followed to grant Microsoft graph permissions for the registered app in Azure AD.

If you are using application permissions scope in your application then you would have choose "Application Permissons" section

If you are using delegated permissions scope in your application then you would have choose "Deleted Permissons" section instead of "Application Permissions"

As shown in the above screenshot, Admin must grant admin consent for "Contacts.Read" or "Contacts.ReadWrite" application or delegated permissions.

Additional Documentation on App Registration & Authentication and authorization basics for Microsoft Graph :
https://docs.microsoft.com/en-us/graph/auth/auth-concepts
https://docs.microsoft.com/en-us/graph/auth-register-app-v2
https://docs.microsoft.com/en-us/graph/auth-v2-user
https://docs.microsoft.com/en-us/graph/auth-v2-service

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

image.png (90.0 KiB)

image.png (68.7 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 5 · 2022-03-14T11:10:46.05Z

AlexanderSvarnik-4009 answered Mar 14, '22 JanardhanaVedham-MSFT commented Mar 14, '22

Hi @JanardhanaVedham-MSFT

Thank you a lot for help. Now android app can use Graph API for these purposes.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanardhanaVedham-MSFT · Mar 14 at 11:48 AM

Hi @AlexanderSvarnik-4009 ,

Thanks for the update. Glad to know that the issue has been resolved for you.

0 ·

question