How to fix "/me request is only valid with delegated authentication flow." issue?

Jie Shen 56 Reputation points
2022-05-17T05:37:12.237+00:00

I want use postman to get user profiles from Azure AD.
I can got Token using [https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token]
But I couldn't get me profiles using [https://graph.microsoft.com/v1.0/me]
I got error as below.
/me request is only valid with delegated authentication flow.
I set API Access permissions as below.
User.Read (Delegated)
User.Read.All (Delegated)

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,491 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,359 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,141 Reputation points Microsoft Employee
    2022-05-17T11:02:50.727+00:00

    Hi @Jie Shen ,

    Thanks for reaching out.

    I understand you are trying to call "/me" endpoint and added delegated permissions to access graph API "/me" endpoint, but you are getting error

    "/me request is only valid with delegated authentication flow".

    First you need to understand the delegated permissions and application permissions .

    Delegated permissions are used by those application which require user interaction or signed in by user whereas application permissions do not require any user interaction and used by those applications which run in the background and consented by admin only beforehand.

    Now, to call any API endpoint, we need to get access token with required permissions using different OAuth flows provided by Microsoft Identity Platform. As mentioned by michev, client credential flow does not require user interaction and require application permissions to get the access token.

    If you are trying to get the token with that flow, that token does not contain required permissions to call "/me" endpoint.

    To call "/me" endpoint, you need to get the access token using authorization grant flow, implicit flow or ROPC flow where user need to sign in to get the access token.

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------

    Please remember to "Accept Answer" if answer helped you.

    3 people found this answer helpful.
  2. Vasil Michev 94,521 Reputation points MVP
    2022-05-17T06:29:41.777+00:00

    There's nothing to fix here, the "/me" endpoint refers to the user in whose context you are running request, thus is only available for delegate permission flows. If you are using the application permissions model (client credentials), you are running your code without any user context, so there is no user to "resolve" for the "/me" endpoint. Use /users/{userId} instead.

    1 person found this answer helpful.