I'm having an Error Authenticating with resource when trying to use Microsoft Graph.

Question

My organization wants to create a shared PTO calendar and then pull the events from that calendar to populate a calendar in our company portal.

I'm using Microsoft Authentication Library for Angular. I'm able to login and actually retrieve my profile from the Microsoft Graph API.

In the attached image are the current permissions I have setup in the app registration in Azure.

When trying to reach out to one of the calendar endpoints with the same token that contains all of the scopes I need, I just get a response "Error authenticating with resource". We also do have an active MS 365 license.

I've followed this documentation https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular-auth-code as well as https://learn.microsoft.com/en-us/graph/api/calendar-get?view=graph-rest-1.0&tabs=http for which permissions I would need to reach this endpoint. I'm able to get a response when logged into the graph explorer at https://developer.microsoft.com/en-us/graph/graph-explorer I'm not able to get a response using a tool like Postman either after following this guide https://learn.microsoft.com/en-us/graph/use-postman, but I can get my profile using postman as well. I can get a response using a custom request if I copy the Access token from the Graph Explorer and just put it in the authorization header of my request.

I also went through the Authorization-1 example here: https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main and had the same issue when trying to reach the contacts endpoint after following the instructions.

I've even gone as far as copying my token that I get assigned from my authorization request into https://jwt.ms to verify that the scopes that I've defined for the Calendar endpoints are attached to my token.

Here is the response body I get back from the graph API requests with a 400 error

{
    "error": {
        "code": "AuthenticationError",
        "message": "Error authenticating with resource",
        "innerError": {
            "date": "2023-10-04T15:14:42",
            "request-id": "387fc7a4-4940-4404-8fba-a39d029d420a",
            "client-request-id": "901d8a36-b813-4556-7f5c-299b06a1a523"
        }
    }
}

Any help or guidance would be appreciated. Thank you in advance!

Answer 1

Because you are using delegate permissions, the effective permissions are the cross-section of the permissions granted to the app and those granted to the user under which you run the app. In other words, the user itself must have permissions to access the calendar(s) in question.

Are you using the same user in both the Graph explorer and Postman? If using different users, double-check the calendar permissions for the respective mailbox(es) and make sure appropriate delegation entries are added. If using the same one, double-check all the auth-related variables, and if needed compare both tokens to see which claims differ therein.

Alternatively consider using application permissions, which are unrestricted.