Share via

How to add test users to test OAuth with Microsoft AD / Entra

Dummy 0 Reputation points
2023-10-07T07:14:11.6566667+00:00

Hi,
I have registered an application in Microsoft Entra to integrate OAuth 2.0 with my application. I had chosen to allow "Any organization directory and any personal account" while registering the application.
OAuth is working fine, and I needed to test it by using an personal Microsoft account. So I added that account as an external user in Entra admin center.
But when I login using that account, I am not able to fetch the contacts of that user using Graph API. However, I am able to fetch user details from https://graph.microsoft.com/v1.0/me/ which means the token is working.
https://graph.microsoft.com/v1.0/me/contacts
I am getting the below error when trying the fetch the contacts from the above endpoint. I have added all the necessary scopes, please see the screenshot below.

https://prnt.sc/Ykq5gIFDc1UO

Prior thanks for any help!

{
  "error": {
    "code": "AuthOMMissingRequiredPermissions",
    "message": "The AadGuestPft token doesn't contain the permissions required by the target API for calling app 'a1d1ba6f-d08a-4cdb-a806-b1dc11763af4'.",
    "innerError": {
      "oAuthEventOperationId": "4b702694-970f-4fc5-8e11-b78e90a67e44",
      "oAuthEventcV": "nhp8Qga17ME8ys/KWv4ZHg.1.1",
      "errorUrl": "https://aka.ms/autherrors#error-InvalidGrant",
      "requestId": "5eca07e4-93ed-452a-b3e6-3be5a96a5615",
      "date": "2023-10-07T07:02:57"
    }
  }
}
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2023-10-10T17:54:39.2366667+00:00

    Hi @Dummy , "AuthOMMissingRequiredPermissions" indicates that the token you are using does not contain the required permissions for the target API.

    To resolve this issue, you should ensure that you have added the necessary permissions (scopes) to your application registration in Azure Active Directory. In particular, you should include the Contacts.Read permission for Microsoft Graph.

    Additionally, make sure that the user or administrator has consented to use the application with the required permissions. If the user has not granted consent, you may need to send an interactive authorization request for the user and resource.

    After updating the permissions and ensuring consent, try fetching the contacts again using the Microsoft Graph API endpoint.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.