Accessing Microsoft Graph from C# Web API










0














I have a following application architecture:



  • Angular 5 client

  • C# Web API protected by Azure tokens

The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.



But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.



What am I doing wrong?










share|improve this question


























    0














    I have a following application architecture:



    • Angular 5 client

    • C# Web API protected by Azure tokens

    The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.



    But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.



    What am I doing wrong?










    share|improve this question
























      0












      0








      0







      I have a following application architecture:



      • Angular 5 client

      • C# Web API protected by Azure tokens

      The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.



      But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.



      What am I doing wrong?










      share|improve this question













      I have a following application architecture:



      • Angular 5 client

      • C# Web API protected by Azure tokens

      The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.



      But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.



      What am I doing wrong?







      azure microsoft-graph adal






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 12 at 11:59









      lukasz

      6111




      6111






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...



          • Click Settings

          • Go to Required permissions

          • Click Add

          • Click Select an API

          • Select Microsoft Graph and click Select

          • Under Application Permissions, check the correct permissions

          Click Select to select the permissions, then Done to finish adding API access.



          IMPORTANT!

          Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.



          More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph






          share|improve this answer




















          • There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
            – juunas
            Nov 12 at 12:21










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53261720%2faccessing-microsoft-graph-from-c-sharp-web-api%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...



          • Click Settings

          • Go to Required permissions

          • Click Add

          • Click Select an API

          • Select Microsoft Graph and click Select

          • Under Application Permissions, check the correct permissions

          Click Select to select the permissions, then Done to finish adding API access.



          IMPORTANT!

          Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.



          More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph






          share|improve this answer




















          • There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
            – juunas
            Nov 12 at 12:21















          0














          Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...



          • Click Settings

          • Go to Required permissions

          • Click Add

          • Click Select an API

          • Select Microsoft Graph and click Select

          • Under Application Permissions, check the correct permissions

          Click Select to select the permissions, then Done to finish adding API access.



          IMPORTANT!

          Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.



          More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph






          share|improve this answer




















          • There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
            – juunas
            Nov 12 at 12:21













          0












          0








          0






          Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...



          • Click Settings

          • Go to Required permissions

          • Click Add

          • Click Select an API

          • Select Microsoft Graph and click Select

          • Under Application Permissions, check the correct permissions

          Click Select to select the permissions, then Done to finish adding API access.



          IMPORTANT!

          Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.



          More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph






          share|improve this answer












          Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...



          • Click Settings

          • Go to Required permissions

          • Click Add

          • Click Select an API

          • Select Microsoft Graph and click Select

          • Under Application Permissions, check the correct permissions

          Click Select to select the permissions, then Done to finish adding API access.



          IMPORTANT!

          Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.



          More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 12 at 12:12









          rickvdbosch

          3,23221326




          3,23221326











          • There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
            – juunas
            Nov 12 at 12:21
















          • There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
            – juunas
            Nov 12 at 12:21















          There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
          – juunas
          Nov 12 at 12:21




          There are also two approaches that can be taken here: Application permissions (requires admin approval always) or Delegated permissions + On-behalf-of (requires admin approval sometimes). On-behalf-of allows you to exchange the token the API received for a new delegated token, and then call an API as the app + user. App permissions give organization-wide access but are more reliable and simple. Delegated permissions give tighter access but are more fragile :)
          – juunas
          Nov 12 at 12:21

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53261720%2faccessing-microsoft-graph-from-c-sharp-web-api%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          How to read a connectionString WITH PROVIDER in .NET Core?

          Node.js Script on GitHub Pages or Amazon S3

          Museum of Modern and Contemporary Art of Trento and Rovereto