Azure app with python, not able to run graph queries related to VMs, how to fix that?

Question

Azure app with python, not able to run graph queries related to VMs, how to fix that?

Azure app I am testing the code:

I have used app registration quickstart options and registered an app and downloaded the code from below image.

Able to login to my organization account SSO using this python code.

Able to test this graph API also and fetch the results in json

ENDPOINT = 'https://graph.microsoft.com/v1.0/users'
ENDPOINT_ME = 'https://graph.microsoft.com/v1.0/me'

But, below endpoint, I am getting error as access denied..

ENDPOINT_VMS = 'https://graph.microsoft.com/v1.0/me/drive/root/search(q=\'kind:vm\')'

Didn't work with double quotes also.

Also, I have provided subscription level contributor access to the app registration.

{
    "error": {
        "code": "accessDenied",
        "innerError": {
            "client-request-id": "0542ed08-8415-4259-bf9a-873e5e3e7642",
            "date": "2023-09-24T08:38:38",
            "request-id": "0542ed08-8415-4259-bf9a-873e5e3e7642"
        },
        "message": "Access denied"
    }
}

Answer 1

As per your request, the scopes in the token used are openid profile User.ReadBasic.All email

This explains the 403 error because you called GET me/drive/root/search(q='kind:vm')' which as per Search Drive Files requires one of permissions below

Expand table

Delegated (work or school account)	Sites.Read.All, Sites.ReadWrite.All
Delegated (personal Microsoft account)	Sites.Read.All, Sites.ReadWrite.All
Application	Sites.Read.All, Sites.ReadWrite.All

To solve the error, Go to your application on Entra Portal and add the required permissions.

See https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

You need to add to delegated permissions.