OAuth : App development working with Microsoft Entra ID (Azure AD)
- Build Standard Web or Native Application
- Build JavaScript Application
- Build Backend Application (Daemon app, Service app)
- How to Verify Token
- Build Your Custom API Application
- Workload Identity Federation
In this blog post, I’ll introduce you newly supported Entra ID client credential flow (with application permissions) in Entra ID endpoint, and describe details about how it works and how to use.
To simplify examples, we use Microsoft Graph in this post, but you can also use this flow for other application’s scopes. (See “Entra ID – How to use custom scopes for admin consent” for custom scopes.)
Note (Dec 2022) : As you can see in this post, the current app permission in Microsoft Graph is granted at a tenant-wide scope, but new RBAC permission model can limit the data an application can access using either of two resource scopes, management scopes or administrative units.
This new model will replace the current application permission in the future.
See here for the announcement.
(Microsoft Azure has already taken RBAC permission model.)
When to use Application Permissions ?
You should remember that application permissions are very strong and powerful permissions.
Imagine that you want to synchronize all user’s information in your organization between Entra ID and your custom application periodically. This app’s sync should work without login UI (i.e, as daemon or services) and access data of all Entra ID users (read/write).
With user flows (such as, code grant flow), of course, this is impossible.
The flow in this post uses the organization-level access privilege using a certificate or secret (app password) without interactive login UI, and can then access to all data in some organization (tenant) – such as, all users, all messages, all calendars, all files, all contacts, all registered devices, so on and so forth.
This client credential flow exactly helps these scenarios.
Note : Server-side backend logic with front-end application (such as, 3-tier web application) doesn’t need to use this flow. For these applications, you can use OAuth on-behalf-of flow in Entra ID (in which the user context is kept).
Application Registration
Before you start, you should register and configure your application.
First, you login to https://portal.azure.com/ (Azure Portal) and go to “Azure Active Directory”. In Entra ID management, click “App registrations” in the navigation, and then push “New registration” to register your app. In app registration wizard, be sure to select an option “Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)” (i.e, which means v2 application).
After the application is created (registered), you can get the application id in the application page. (See the following screenshot.)
In the application page, click “API permissions” in the navigation and push “Add a permission”. In the API permission pane, select “Microsoft Graph” and select “Files.Read.All” permission in “Application permissions” (not “Delegated permissions”) as the following screenshot.
Note : For other applications except for “Microsoft Graph”, please see “Entra ID – How to use custom scopes for admin consent“. (Added 02/07/2018)
Note : In the usual user consent’s flow, you don’t need to pre-define scopes in Azure Portal and you can set scopes dynamically (on the fly) when you authenticate.
As I explain later, this flow uses the pre-defined scope attached on your application.
Next click “Certificates & secrets” in the navigation, and add a new client secret (app password) to your app.
Lastly, set your application’s url as redirect URI in application page. (See the following screenshot.)
In this post, we assume https://localhost/testapp02 as redirect URI.
You application’s configuration is all done !
Admin Consent
We assume that this application (service) is multi-tenant application and share this service to user’s organization. How to deliver this application for each organization (tenant) ?
In this case, you can use the delivery mechanism called “consent”.
For example, if you use the Facebook integrated application, the application informs you operations (“read your friend list”, “create posts”, etc) the application is needing. If the user approve, the user can use this application. No extra setup is needed.
The application using Microsoft identity is having the same mechanism, and this is called “user consent” which grants the application to access your own data (your messages, your files, etc).
But as I wrote above, this application uses the all organization’s data, not for the specific user. In such a case, the “administrator consent” (admin consent) is used in Entra ID, and this consent must be done by the administrator in the organization.
Note : When you skip admin consent, access token will include neither
scp(scope) norroles. (And the request for calling API will then fail.)
Admin consent isn’t required when no Entra ID permission is used in the flow. If you want to avoid IT admin’s consent for granting to your application, you can skip this process (admin consent) by building its own role management (app-specific role and admin management) in your application without Entra ID permissions.
This approach is used in Microsoft Azure. Azure has its own role management framework, called Role-Based Access Control (RBAC), and the admin consent is not then required in client credential flow. (See here for details.)Note : The admin consent is not only for the application permissions, but also used for granting delegated permissions (user permissions) for all users in your organization (tenant).
With admin consent workflow enabled in Entra ID, the users can also request (ask) the admin consents to organization’s administrators.
When you use the administrator consent, all you have to do is to go to https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} using web browser.
In this example, we go to the following url. (We assume the user tenant is testdirectory.onmicrosoft.com.)
https://login.microsoftonline.com/testdirectory.onmicrosoft.com/adminconsent?client_id=69f2b31d-d99d-4f9c-a27c-91c7be8d40b5&state=12345&redirect_uri=https%3a%2f%2flocalhost%2ftestapp02Note : The state parameter is returned as the same value after login. Your application can use this data (state), if you want to keep some state after login.
If you access to the above url, the login screen (the following screenshot) is shown. Before using this application, the tenant administrator must login and permit to use this application only once, and the login is needed no longer.
When you are using v2.0 endpoint, you can use both Entra ID Account (organizational account) and Microsoft Account (personal account). But, in this case, this application needs the organization-level permission, then you must login using Entra ID tenant administrator’s account here. (If you use the other kind of account, the error occurs.)
After you login using the administrator account in Entra ID, the following consent screen is displayed. This screen says that if you grant to this application, this app takes the organization-level access privilege.
If you agree this consent, this application is granted to access your organization’s data. After that, the web page is redirected to {redirect uri}?admin_consent=True&tenant={tenant name}&state={state data}. In this example, this is the following url.
https://localhost/testapp02?admin_consent=True&tenant=testdirectory.onmicrosoft.com&state=12345Note : If the error occurs, the page is redirected to the following uri.
http://localhost/testapp02?error=permission_denied&error_description=The+admin+canceled+the+request
If you (an administrator) don’t need this consented application in your tenant anymore, you can revoke this application using Azure Portal.
To revoke an admin-consented application, select “Enterprise applications” in the navigation (on Entra ID management page) and select this application in the list. (See the following screenshot.) In application page, select “Properties” and click “Delete” button.
Note : If you change your application permission in this application, the users (tenant administrators) must consent to this application again. (The user can consent many times.)
Get Access Token
Now it’s ready ! Your application can get the access token including permissions (scope or roles) and call some proper operations by the given permissions.
Your application can get access token using the following HTTP request (OAuth).
Note that you cannot use https://login.microsoftonline.com/common/oauth2/v2.0/token (which is commonly used) for getting the token. Instead, you must use https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, which identifies the specific tenant. (In this example, we use “testdirectory.onmicrosoft.com” as user’s organization.)
The scope must be https://graph.microsoft.com/.default .
Remind that you can use the scope (permission) values on the fly in user authentication flow, such like https://graph.microsoft.com/mail.read. The .default scope in client credential flow means that the application uses the pre-defined scopes, i.e, Files.Read.All in this example. (See previous “Application Registration” section for pre-defined scopes.)
POST https://login.microsoftonline.com/testdirectory.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=69f2b31d-d99d-4f9c-a27c-91c7be8d40b5&client_secret=7XO2%2F%40...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.defaultYour application can get the following HTTP response. The access token is used for calling APIs (services).
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 0,
"access_token": "eyJ0eXAiOi..."
}Call Services (Microsoft Graph)
Lastly your application calls the service of Microsoft Graph using the provided access token.
In this example, the “Files.Read.All” permission is used for your application, then your application can read the all user’s files using Microsoft Graph in the given organization (testdirectory.onmicrosoft.com).
The following is retrieving all files in the OneDrive root folder for the user “demouser01@testdirectory.onmicrosoft.com”. The result is returning the two folder items.
Your application can get the files of arbitrary users in the organization in the same way.
HTTP Request
GET https://graph.microsoft.com/v1.0/users/demouser01@testdirectory.onmicrosoft.com/drive/root/children
Accept: application/json
Authorization: Bearer eyJ0eXAiOi...HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('demouser01%40testdirectory.onmicrosoft.com')/drive/root/children",
"value": [
{
"createdBy": {
"user": {
"id": "cf258756-2623-47cb-be46-c85d436265bb",
"displayName": "Demo Taro"
}
},
"createdDateTime": "2015-12-22T07:24:46Z",
"eTag": ""{4C06E4DE-B89C-4A78-848A-FCC6118041F6},1"",
"id": "01B6UXIPO64QDEZHFYPBFIJCX4YYIYAQPW",
"lastModifiedBy": {
"user": {
"id": "cf258756-2623-47cb-be46-c85d436265bb",
"displayName": "Demo Taro"
}
},
"lastModifiedDateTime": "2016-05-23T11:45:24Z",
"name": "testfol",
"webUrl": "https://o365directory-my.sharepoint.com/personal/demouser01_o365directory_onmicrosoft_com/Documents/testfol",
"cTag": ""c:{4C06E4DE-B89C-4A78-848A-FCC6118041F6},0"",
"folder": {
"childCount": 2
},
"parentReference": {
"driveId": "b!iXgvhy0l90q10oljtqrTKLCkDzZ204FFhgSqDnNXhktfZNOb9jHxQrzimH24Z67t",
"id": "01B6UXIPN6Y2GOVW7725BZO354PWSELRRZ",
"path": "/drive/root:"
},
"size": 0
},
{
"createdBy": {
"user": {
"id": "cf258756-2623-47cb-be46-c85d436265bb",
"displayName": "Demo Taro"
}
},
"createdDateTime": "2016-05-20T12:57:32Z",
"eTag": ""{2135DDF2-5458-49E6-8C8E-2AB08501A7E4},1"",
"id": "01B6UXIPPS3U2SCWCU4ZEYZDRKWCCQDJ7E",
"lastModifiedBy": {
"user": {
"id": "cf258756-2623-47cb-be46-c85d436265bb",
"displayName": "Demo Taro"
}
},
"lastModifiedDateTime": "2016-05-20T13:04:11Z",
"name": "expense",
"webUrl": "https://o365directory-my.sharepoint.com/personal/demouser01_o365directory_onmicrosoft_com/Documents/expense",
"cTag": ""c:{2135DDF2-5458-49E6-8C8E-2AB08501A7E4},0"",
"folder": {
"childCount": 2
},
"parentReference": {
"driveId": "b!iXgvhy0l90q10oljtqrTKLCkDzZ204FFhgSqDnNXhktfZNOb9jHxQrzimH24Z67t",
"id": "01B6UXIPN6Y2GOVW7725BZO354PWSELRRZ",
"path": "/drive/root:"
},
"size": 0
}
]
}Using Microsoft Authentication Library (MSAL)
Microsoft Authentication Library (MSAL) is the library that helps you to develop applications that work with v2.0 endpoint. Now this also supports this scenarios.
The following is the C# MSAL sample code, which gets the access token for this application permission’s scenario.
You must install the NuGet package “Microsoft.Identity.Client” (Microsoft Authentication Library, MSAL) in your project.
using Microsoft.Identity.Client;
static void Main(string[] args)
{
// get access token including application permissions
ConfidentialClientApplication cl = new ConfidentialClientApplication(
"https://login.microsoftonline.com/testdirectory.onmicrosoft.com/v2.0",
"69f2b31d-d99d-4f9c-a27c-91c7be8d40b5",
"https://localhost/testapp02",
new ClientCredential("7XO2/@=t@a..."),
new TokenCache());
AuthenticationResult authResult = cl.AcquireTokenForClient(
new string[] { "https://graph.microsoft.com/.default" },
null).Result;
Console.WriteLine(authResult.Token);
Console.ReadLine();
}
Update History :
Dec 04, 2019 Update App Registration Portal (https://apps.dev.microsoft.com) to Azure Portal, because of App Registration Portal deprecation
Categories: Uncategorized
tsmatz 
Hi , I am getting
{StatusCode: 403, ReasonPhrase: ‘Forbidden’, Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Transfer-Encoding: chunked
request-id: 83d0d501-2290-44cc-aa84-cb49975a4404
client-request-id: 83d0d501-2290-44cc-aa84-cb49975a4404
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”SliceA”,”ScaleUnit”:”003″,”Host”:”SDFS”,”ADSiteName”:”CST”}}
Duration: 61.6349
Cache-Control: private
Date: Thu, 13 Oct 2016 22:38:57 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Type: application/json
}}
LikeLike
I have me sure that all the permission are given correctly
LikeLike
Hi, If you have already consented (agreed with the permission request UI), please revoke this permission and approve again (by admin user).
If you still cannot solve this, could you please attach your HTTP request raw ? (including authorization token)
LikeLike
The app works on selecting entry and exit point is programmed
LikeLike
Application content fingers heads do I
LikeLike
Applications do not relieve programs road intersection and earn a pattern you carry responsibility for the delay of the signature.
LikeLike
Hi
I’m using MSAL PublicClientApplication to connect to outlook.com.
Works great, very easy to use, but in “confirming permissions” screen, in addition to “read contacts” permission I defined in “scopes” ({https://outlook.office.com/contacts.read”}) and in the app registration, there are four others permissions including “[APP] will be able to see and update your info, even when you’re not using this app.”. Am I missing something here? How can I remove these?
Regards
Dejan
LikeLike
Are you using delegated permissions on the fly ? (i.e, are you setting “https://outlook.office.com/contacts.read” as “scope” value for the login ?)
In this case, you don’t need to select any permissions in the app registration portal.
I’m sorry it’s written by Japanese, but I’m writing this usual case (using the delegated permissions on the fly) in the following post.
https://blogs.msdn.microsoft.com/tsmatsuz/2016/03/08/azure-ad-msa-v2-endpoint-validate-id_token/
In this post, the following url is used for user’s login (the confirming permission’s screen is displayed), and you don’t need to select any permissions in the app registration portal beforehand.
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token+code&response_mode=form_post&client_id=7822587c-fed4-4dd3-8e68-165334eb7c92&scope=openid+https%3a%2f%2fgraph.microsoft.com%2fmail.read&redirect_uri=https%3A%2F%2Flocalhost%2Ftest.php&nonce=abcdef
LikeLike
Hi,
Thanks for your reply.
Not sure if I explained well. I’m using MSAL public client from a UWP application. In the user authentication screen there are 4 additional permissions user has to agree with (in addition to the permission I defined in scope). So this is in the user authentication screen, not in the application configuration portal. One of these permissions sound scary, telling user that the app can change their data even when they are not using the app! I’m sure many users will be put off by this and may think the app is some sort of malware. Is there any way to change this?
LikeLike
Can you please tell the following 2 questions ?
1 ) Did you clear all “Microsoft Graph Permissions” in the app settings in app reg portal (https://apps.dev.microsoft.com) ?
2 ) What kind of scopes did you set in MSAL code ?
LikeLike
1) Originally I had MS Graph delegated permissions in the app portal match what’s in my application code (scopes). I have now removed it. No change.
2) In the app, scopes are defined as: {“https://outlook.office.com/contacts.readwrite”}
LikeLike
Thank you for your reply again. I checked using my sample app, and I also found “access your data any time” when I’ve add “offline_access” in the scopes. (If I erase this offline_access, this permission message has disappeared.)
If you set offline_access, not only access token but the refresh token is also returned. Using this refresh token, the app can always get access token inside the app, and can proceed some granted operations. This means “access your data any time”.
For example, if the app is mobile app, this refresh token enables some operations without logging in again. Most mobile apps with OAuth 2 are using this refresh token, because the users must input their user name and password again and again. But, if your app is web app, you may erase this offline_access and prompt to the user to login again when the access token is expired. (The access token lifetime is 1 hour by default.)
LikeLike
Hi,
Thanks for that! How do I erase offline_access permission? I don’t have that in scopes.
LikeLike
Are you using some sort of library like MSAL ? If so, the libarary would add the “offline_access” automatically because of enabling cache.
As you know, you can see the http raw using Fiddler and you can check what kind of scopes is added for the http request. If the issue exists, could you please tell me your http raw request ? I will try the same request.
LikeLike
Yes, using MSAL. I guess there is no way to switch it off with msal. Thanks for all the help!
LikeLike
Hi,
After getting the access token I was trying to get the following resource (https://graph.microsoft.com/v1.0/me/message) which resulted in the following error:
HTTP/1.1 400 Bad Request
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
Server: Microsoft-IIS/8.5
request-id: 95878061-9c50-4d67-934f-c50a4b98edc6
client-request-id: 95878061-9c50-4d67-934f-c50a4b98edc6
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”Japan East”,”Slice”:”SliceB”,”ScaleUnit”:”000″,”Host”:”AGSFE_IN_2″,”ADSiteName”:”KAW”}}
Duration: 3.5795
X-Powered-By: ASP.NET
Date: Wed, 25 Jan 2017 06:01:48 GMT
{
“error”: {
“code”: “BadRequest”,
“message”: “Current authenticated context is not valid for this request”,
“innerError”: {
“request-id”: “95878061-9c50-4d67-934f-c50a4b98edc6”,
“date”: “2017-01-25T06:01:49”
}
}
}
However if I change the resource uri to (https://graph.microsoft.com/v1.0/users/@.onmicrosoft.com/messages) I will be able to retrieve the mail messages.
Why is this?
Thanks in advance,
Lei Xu
LikeLike
the uri should be https://graph.microsoft.com/v1.0/users/myuser@myorg.onmicrosoft.com/messages
LikeLike
Hi Lei san,
You cannot get from /me uri using this token. The token which is written in this post is the token for “application” scope, not “user” scope. As you know, no login UI is displayed when retrieving the token, and the token is not including who logged-in. (First we’re logging-in using administrator user, but this is not for getting token, but for subscribing (consenting) this application in this tenant.)
If you want to use /me using the user token, please use the usual OAuth flow as follows. (Don’t use this application permission.)
Sorry, but the following post is written in Japanese, and please translate …
https://blogs.msdn.microsoft.com/tsmatsuz/2016/02/24/v2-endpoint-oauth2-client-using-azure-active-directory-and-microsoft-account/
LikeLike
Thanks a lot for the clarification.
LikeLike
Hi,
Thanks to your post and answers I have managed to access office 365 resources with oauth2 client credentials flow through azure ad 2.0.
I am looking for a little bit different two legged tutorial which use openid connect.
I believe that openid connect for azure ad 2.0 login is in this format:
https://login.microsoftonline.com/tenant/v2.0/.well-known/openid-configuration
Wondering how to use this to achieve two legged authentication just like the oauth2 client credentials flow.
Thanks in advance.
LikeLike
Hi,
thank you for your post.
I followed the steps using crome rest client. I was able to give admin consent successfully. I also got the token created. But when i use that token to query graph apis, I am getting error
“code”: “InvalidAuthenticationToken”,
“message”: “CompactToken parsing failed with error code: -2147184105”,
Please help me fix this issue
LikeLike
Are you using Microsoft Account to consent ? Even if it has the admin permissions, you cannot use Microsoft Account in this scenario. You need to use organization admin account (usually it has the format of *****@*****.onmicrosoft.com or provisioned custom domain) for consent.
LikeLike
Hi,
Is there anyway to retrieve all site-collections using Microsoft Graph API?
LikeLike
Hi,
What is the correct way to specify both the “.default” and the “offline_access” scopes? When I try to add “offline_access” to the scope parameter while calling the token endpoint I get a incorrect scope error.
LikeLike
Hi, This (app permissions) is used for the backend (daemon app, backend services, etc) which uses certificates in the backend, so I think you cannot specify “offline” which is usually used for the mobile app that is preserving token as refresh token in the devices.
LikeLike
H I am getting:
Authorization_IdentityNotFound
when I try to:
var graphClient = new GraphServiceClient(“https://graph.microsoft.com/v1.0”, new DelegateAuthenticationProvider(
async requestMessage => { string token =authResult.Token;
requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“bearer”, token);
})
var user = await this.graphClient.Users[emailAddress].Request().GetAsync()
I have User.Read.All under both Delegated Permissions and Application Permissions
LikeLike
In your case, you don’t need application permissions, and also don’t need the delegated permissions previously set in App Reg Portal. (In v2 endpoint, you can set your required scopes on the fly like “https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token+code&response_mode=form_post&client_id={your app id}&scope=openid+https%3a%2f%2fgraph.microsoft.com%2fmail.read&redirect_uri={your app url}&nonce=abcdef”.)
I’m sorry but I’m not familiar with “Authorization_IdentityNotFound” error, and can you please give me the error status and messages on HTTP response by using Fiddler or something ?
LikeLiked by 1 person
For anyone in future who encounters similar problem, ensure you are explicitly specifying the tenant Id when requesting the access token using i.e. https://login.microsoftonline.com/${this.storm.tenant_Id}/oauth2/v2.0/token
LikeLiked by 1 person
Please help! I keep getting error “The identity of the calling application could not be established”
LikeLike
Are you following the step by step procedure written in this post ? (Or you’re using SDK or some sort of things ?)
If so, can you please give me the entire HTTP request and HTTP response of the error request ? (You can use Fiddler for tracking HTTPS if you’re using SDK.)
I think this error seems to be the same as “Authorization_IdentityNotFound” which is mentioned in another comment.
LikeLike
You’re guide has really helped me get my app working, but im currently running into an issue I can find a solution too and I think it might be related to an earlier comment. Im trying to get an outlook 365 calendar integration app to work and using your method for getting admin consent for an Azure AD tenant, I am successfully able to get an access token after the admin allows the app but I cannot get a refresh token. I have tried setting my requested permissions to have “allow_offline” and the allow offline permission shows up under the admin permission request screen but I still cant obtain a refresh token. Let me know what information you need. And thank you so much for this guide, its much more helpful than the microsoft documentation.
LikeLike
Hi Seth san,
This application permission is intended to be used in background application (daemons or services) like some periodical synchronization application and so on. So this type of application doesn’t return refresh token and in v1 endpoint it was also the same. (Sorry it’s Japanese post, but please see https://tsmatz.wordpress.com/2015/04/09/azure-ad-backend-server-side-deamon-service/ for v1 endpoint.)
Sorry that it will not be your expecting result, but now it’s my answer.
LikeLiked by 1 person
Is there any way to retrieve all the site-collections using Microsoft Graph API?
LikeLike
Hi,
I am using User-Administrator account to add permissions (User.Read.All) in my app. But when I re-login to the app it throws prompt with the following data : “NewApp needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it”.
Please tell me the User-Administrator can access the all users data or not.
Thank you.
LikeLike
Before using your app (named “NewApp”), the tenant administrator must add your app with admin consent. (This type of consent cannot be done by non-admin users.)
After your app is consented by the tenant administrator, your app (“NewApp”) can access all users’ data in this tenant. For example, your app can sync all users’ information (in this tenant) with batch execution (like daemons).
LikeLike
Hi,
I’m trying to do a service-to-service call using Microsoft Graph API. The idea is my app will retrieve file data from a user’s personal OneDrive account (not OneDrive For Business) from time to time at the backend without doing user login. This user is a member in the Azure AD tenant.
I followed steps above and able to retrieve access token. I can do API to retrieve list of users in the Azure AD tenant (i.e: https://graph.microsoft.com/v1.0/users) with the access token. But when I trying to access the user’s drive via API https://graph.microsoft.com/v1.0/users/{id}/drive, I get errors
“code”: “BadRequest”
“message”: “Tenant does not have a SPO license.”
Did I missed out any permission setting on the application, or missing any licensing? Some said I need Office 365 to do this, but I doubt why? Or even, can I do this using application permission? (Microsoft documentation suggests to use delegated permission, but this does not fit my design.)
I am new in this piece, sorry if I asked questions that are beyond this post. Any suggestion will be appreciated. Thanks in advanced.
LikeLike
Yes, you need each product’s license for calling corresponding APIs in Microsoft Graph. It seems that the error is saying that your tenant doesn’t have “SharePoint Online” license.
(I also note that you cannot use this approach (with application permissions) for “personal OneDrive” account. It needs organization’s tenant.)
LikeLike
Hello very cool site!! Guy .. Beautiful .. Amazing ..
I’ll bookmark your web site and take the feeds additionally?
I am happy to find a lot of useful info here in the
put up, we’d like develop more strategies on this regard, thanks for sharing.
. . . . .
LikeLike
I’m amazed, I have to admit. Rarely do I come across a blog that’s equally educative and engaging,
and let me tell you, you have hit the nail on the head.
The problem is something which too few people are speaking intelligently
about. Now i’m very happy that I came across this in my hunt for something concerning this.
LikeLike
Heⅼlo, Neat post. Theге іs an issue wіth your website
in web explorer, mіght check thіѕ? IE stіll іs the market chief ɑnd a large element of people wilⅼ omit yoսr wonderful writing Ƅecause ߋf
tһis рroblem.
LikeLike
Hi, i feel that i saw you visited my web site thus i got here to
return the favor?.I’m trying to to find issues to
enhance my site!I assume its ok to use some of your ideas!!
LikeLike
Hi, in my case, I have multiple reply urls with admin consent. Therefore, after admin consent screen, its always navigating to first url listed in reply url collection. is there any way to setup where in it can take other urls also.
LikeLike
Are you setting “redirect_uri=” in your query string ? (This value is ignored ?)
LikeLike
Hi there, yup this piece of writing is really nice and
I have learned lot of things from it on the topic of blogging.
thanks.
LikeLike
Hi there to all, it’s in fact a nice for me to go to see
this web page, it includes helpful Information.
LikeLike
Your style is very unique compared to other folks I have read
stuff from. I appreciate you for posting when you have the opportunity, Guess I will just book mark this page.
LikeLike
Saved as a favorite!, I really like it!
LikeLike
you’re really a excellent webmaster. The web site loading speed is incredible.
It kind of feels that you’re doing any distinctive trick.
Moreover, The contents are masterwork. you’ve performed a
great activity on this matter!
LikeLike
Having read this I believed it was very enlightening.
I appreciate you spending some time and effort to put this article
together. I once again find myself spending way too much
time both reading and commenting. But so what, it was
still worthwhile!
LikeLike
I was curious if you ever considered changing the page layout of your
blog? Its very well written; I love what youve got to say.
But maybe you could a little more in the way of content so people could connect
with it better. Youve got an awful lot of text for only
having one or two pictures. Maybe you could space it out better?
LikeLike
Thank you for your all feedback.
LikeLike
An outstanding share! I have just forwarded this onto a friend who had been doing
a little research on this. And he in fact ordered me lunch due to the
fact that I stumbled upon it for him… lol. So allow me to reword this….
Thanks for the meal!! But yeah, thanx for spending some time to discuss
this issue here on your blog.
LikeLike
I visit everyday some sites and information sites to read articles, except this webpage offers quality based content.
LikeLike
Good web site you have got here.. It’s hard to find
quality writing like yours these days. I really appreciate individuals like you!
Take care!!
LikeLike
I have read so many content regarding the blogger lovers except this
post is genuinely a nice piece of writing, keep it up.
LikeLike
This article will help the internet visitors for creating new webpage or even a weblog from start to end.
LikeLike
This article gives clear idea for the new users of blogging, that truly how to do blogging and site-building.
LikeLike
Hi Tsuyoshi,
I am trying to upload files on OneDrive through rest api. The token is retrieved successfully but while calling the endpoint for file upload getting this error-
“code”:”AccessDenied”,”message”:”Either scp or roles claim need to be present in the token.”
File upload endpoint url – https://graph.microsoft.com/v1.0/users/4e2342e5-0ef1-4b79-812b-64de22669587/drive/items/root:/{file}:/content
The issue occurs when I try to do this with Delegated Permissions but works fine when I assign Application Permission. But as application permission is really powerful, I wanted to understand if there is another way of doing it?
LikeLike
Hi, somegirl692-san. The reason is because it’s not authenticated by OAuth “scope”.
Please perform “consent” written in the following post by using “scope”. (In the following post, the “scope” is for mail read in outlook, and then please specify onedrive scope instead.)
LikeLike