Share via

OrganizationFromTenantGuidNotFound

Site Salt 0 Reputation points
2023-03-18T16:49:32.38+00:00

I have an app registered on Azure (free plan), which I want to use to read the emails from the Outlook inbox, with PHP. I set these permissions in order to be able to query the Graph API:

User's image

I have successfully redeemed an access token from my PHP app. With this token, I get a successful response on https://graph.microsoft.com/v1.0/users/{id}:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "businessPhones": [],
    "displayName": "My Display Name",
    "givenName": "My Name",
    "jobTitle": null,
    "mail": null,
    "mobilePhone": null,
    "officeLocation": null,
    "preferredLanguage": "en",
    "surname": "My Surname",
    "userPrincipalName": "...@....onmicrosoft.com",
    "id": "aaaaaaaa-bbbb-cccc-..."
}

The scope of this token is also suitable for what I need:

User's image

However, when I want to query https://graph.microsoft.com/v1.0/users/{id}/mailfolders/inbox/messages?$orderby=receivedDateTime DESC for instance, I get this response:

{
    "error": {
        "code": "OrganizationFromTenantGuidNotFound",
        "message": "The tenant for tenant guid 'aaaaaaaa-bbbb-cccc-...' does not exist.",
        "innerError": {
            "oAuthEventOperationId": "27e88783-1c1e-48f7-be98-f555a5332497",
            "oAuthEventcV": "RkY2sv+z7pLFXJ0v7Oa18Q.1",
            "errorUrl": "https://aka.ms/autherrors#error-InvalidTenant",
            "requestId": "9565f55c-71b9-4885-a61f-746caed65588",
            "date": "2023-03-18T15:23:24"
        }
    }
}

I did an extensive search about this error, but found nothing. One answer I found states that I need a "need a Microsoft office 365 account with a subscription". The plan I currently use is free. It also prompts me to buy Microsoft 365:

User's image

Is this a limitation of the free plan, which denies me the ability to read emails through the Graph api?

Or is there something wrong I'm doing?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,521 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,295 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. shakir ullah 5 Reputation points
    2024-06-30T15:22:19.04+00:00

    To resolve this issue, I replaced the tenant ID with the keyword common in the authorizationURL and tokenURL. This allows users from any Azure AD tenant, including personal Microsoft accounts, to authenticate.

    Below is my oAuth strategy Code.

    import { PassportStrategy } from '@nestjs/passport';
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { Strategy, VerifyCallback } from 'passport-azure-ad-oauth2';
import { AuthService } from './auth.service';
import { ConfigService } from '@nestjs/config';
import axios from 'axios';

@Injectable()
export class OauthStrategy extends PassportStrategy(Strategy, 'azure-ad') {
  constructor(
    private readonly authService: AuthService,
    private readonly configService: ConfigService
  ) {
    super({
      clientID: this.configService.get<string>('AZURE_CLIENT_ID'),
      clientSecret: this.configService.get<string>('AZURE_CLIENT_SECRET'),
      callbackURL: this.configService.get<string>('AZURE_CALLBACK_URL'),
      authorizationURL: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
      tokenURL: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
      scope: [
        'openid',
        'User.Read',
        'profile',
        'email',
        'Mail.Read',
        'Mail.ReadBasic',
      ],
    });
  }

  async validate(
    accessToken: string,
    refreshToken: string,
    params: any,
    profile: any,
    done: VerifyCallback
  ): Promise<any> {
    try {
      const userProfile = await this.getUserProfile(accessToken);
      const user = await this.authService.validateUser(userProfile);
      if (!user) {
        throw new UnauthorizedException();
      }
      done(null, user);
    } catch (error) {
      done(error, false);
    }
  }

  async getUserProfile(accessToken: string): Promise<any> {
    const graphUrl = 'https://graph.microsoft.com/v1.0/me';
    const response = await axios.get(graphUrl, {
      headers: {
        Authorization: `Bearer ${accessToken}`,
      },
    });
    return response.data;
  }
}
    1 person found this answer helpful.
  2. Shivam Dhiman 6,081 Reputation points
    2023-03-20T02:37:21.18+00:00

    Hi @Site Salt

    Error 401 Unauthorized 'OrganizationFromTenantGuidNotFound' generally occurs when your Azure AD does not have Office 365 account to work.
    As per the last screenshot, the account which you are trying to access is not present in your tenant. Please make sure, user which you are trying to access is present in your tenant and have valid subscription.

    Also, to get Mailbox of User (if not shared) you need to use Application permissions.

    Hope this helps.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment"

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.