Accessing Microsoft Graph from C# Web API
I have a following application architecture:
- Angular 5 client
- C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
azure microsoft-graph adal
add a comment |
I have a following application architecture:
- Angular 5 client
- C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
azure microsoft-graph adal
add a comment |
I have a following application architecture:
- Angular 5 client
- C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
azure microsoft-graph adal
I have a following application architecture:
- Angular 5 client
- C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
azure microsoft-graph adal
azure microsoft-graph adal
asked Nov 12 '18 at 11:59
lukaszlukasz
6111
6111
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
- Click Settings
- Go to Required permissions
- Click Add
- Click Select an API
- Select Microsoft Graph and click Select
- Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53261720%2faccessing-microsoft-graph-from-c-sharp-web-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
- Click Settings
- Go to Required permissions
- Click Add
- Click Select an API
- Select Microsoft Graph and click Select
- Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
add a comment |
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
- Click Settings
- Go to Required permissions
- Click Add
- Click Select an API
- Select Microsoft Graph and click Select
- Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
add a comment |
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
- Click Settings
- Go to Required permissions
- Click Add
- Click Select an API
- Select Microsoft Graph and click Select
- Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
- Click Settings
- Go to Required permissions
- Click Add
- Click Select an API
- Select Microsoft Graph and click Select
- Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
answered Nov 12 '18 at 12:12
rickvdboschrickvdbosch
3,66421426
3,66421426
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
add a comment |
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
– juunas
Nov 12 '18 at 12:21
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53261720%2faccessing-microsoft-graph-from-c-sharp-web-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown