MS Graph 1.0 API getting different results when using PHP auth

Question

I am creating a PHP app that grabs users from Azure/Office365

I use the below code for the floe

"https://login.microsoftonline.com/" . $ad_tenant . "/oauth2/v2.0/authorize?"

and then

"https://login.microsoftonline.com/" . $ad_tenant . "/oauth2/v2.0/token" to get the access token - which works.

I then query the 'https://graph.microsoft.com/beta/users' API and get results.

BUT

When i use the https://developer.microsoft.com/en-us/graph/graph-explorer with the same api - I get more results

The only difference is the access-token.

When i use the access token from Graph Explorer I get more results than with my PHP gathered access-token.

What is the difference, what am I missing ???

It seems my PHP code is only getting the users from my Azure instance but the graph one is getting from Azure and Office 365.

Ideally I want just Office365 via my PHP code

Any ideas ??

Answer 1

Hello James Inger,
Thank you for reaching out.

The difference in results could be due to the permissions granted by the access token in each case.

In the Microsoft identity platform, you specify permissions that your app needs to access certain resources and the access token returned to your app is then limited to those permissions.

The access token used in your PHP app might have granted permission to access users in your Azure instance, on the other hand the access token used in Graph Explorer has been granted additional permissions to access users in Office 365 as well.

Could you please check your scope in the PHP app, "User.Read.All" or "User.ReadWrite.All" scope, which provides access to all users in the organization, including those in Office 365.

Thanks