Share via

Graph Api Invitation guest user permission

Romano, Andrea 0 Reputation points
2023-12-18T09:27:53.81+00:00

Good morning,

we have a problem with Invite Graph Api (POST  https://graph.microsoft.com/v1.0/invitations). Our sandbox application has this permission:

User's image

Now we have tried to send this content and I received always the response below with insuffient permission. Our application is a multi-tenant application and with others graph api I haven't problems. Someone can help me?

{
               "RequestHeaders": {
                              "Authorization": "[\"Bearer *****\"]",
                              "Cache-Control": "[\"no-cache\"]",
                              "Accept": "[\"application/json\"]",
                              "MS-RequestId": "[\"9f739c9a-b154-42e6-8b78-fb14a15069dc\"]",
                              "MS-CorrelationId": "[\"f0524da7-e5cc-436a-96b8-2c9fe31777c6\"]",
                              "MS-Contract-Version": "[\"v1\"]",
                              "X-Locale": "[\"it-IT\"]"
               },
               "RequestProperties": {},
               "RequestContent": "{\"InvitedUserDisplayName\":null,\"InvitedUserMessageInfo\":{\"CcRecipients\":[{\"EmailAddress\":{\"Address\":\******@test.com\,\"Name\":\"Test\"}}],\"CustomizedMessageBody\":null,\"MessageLanguage\":\"Italian (Italy)\"},\"InvitedUserType\":null,\"InviteRedeemUrl\":null,\"ResetRedemption\":false,\"Status\":null,\"InvitedUserEmailAddress\":\******@test.com\,\"InviteRedirectUrl\":\https://****/graph/invitations/redirect?user=******@test.com\,\"SendInvitationMessage\":true}"
}


{                "ResponseHeaders": {                               "Transfer-Encoding": "[\"chunked\"]",                               "Strict-Transport-Security": "[\"max-age=31536000\"]",                               "request-id": "[\"03259cb9-a3ef-48be-ac47-d30060c36a96\"]",                               "client-request-id": "[\"03259cb9-a3ef-48be-ac47-d30060c36a96\"]",                               "x-ms-ags-diagnostic": "[\"{\\\\\"ServerInfo\\\\\":{\\\\\"DataCenter\\\\\":\\\\\"Switzerland North\\\\\",\\\\\"Slice\\\\\":\\\\\"E\\\\\",\\\\\"Ring\\\\\":\\\\\"5\\\\\",\\\\\"ScaleUnit\\\\\":\\\\\"002\\\\\",\\\\\"RoleInstance\\\\\":\\\\\"ZR2PEPF000000C7\\\\\"}}\"]",                               "Cache-Control": "[\"no-store, must-revalidate, no-cache\"]",                               "Date": "[\"Wed, 13 Dec 2023 09:53:08 GMT\"]"                },                "ResponseResult": "{\"error\":{\"code\":\"Unauthorized\",\"message\":\"Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite, URL absolute path=/api/62e5b718-62de-4db7-a266-95607648b40b/invites\",\"innerError\":{\"request-id\":\"03259cb9-a3ef-48be-ac47-d30060c36a96\",\"date\":\"2023-12-13T09:53:08\",\"client-request-id\":\"03259cb9-a3ef-48be-ac47-d30060c36a96\"}}}",                "IsSuccess": false,                "ResponseReasonPhrase": "Unauthorized" } 
               "RequestHeaders": {
                              "Authorization": "[\"Bearer *****\"]",
                              "Cache-Control": "[\"no-cache\"]",
                              "Accept": "[\"application/json\"]",
                              "MS-RequestId": "[\"9f739c9a-b154-42e6-8b78-fb14a15069dc\"]",
                              "MS-CorrelationId": "[\"f0524da7-e5cc-436a-96b8-2c9fe31777c6\"]",
                              "MS-Contract-Version": "[\"v1\"]",
                              "X-Locale": "[\"it-IT\"]"
               },
               "RequestProperties": {},
               "RequestContent": "{\"InvitedUserDisplayName\":null,\"InvitedUserMessageInfo\":{\"CcRecipients\":[{\"EmailAddress\":{\"Address\":\******@test.com\,\"Name\":\"Test\"}}],\"CustomizedMessageBody\":null,\"MessageLanguage\":\"Italian (Italy)\"},\"InvitedUserType\":null,\"InviteRedeemUrl\":null,\"ResetRedemption\":false,\"Status\":null,\"InvitedUserEmailAddress\":\******@test.com\,\"InviteRedirectUrl\":\https://****/graph/invitations/redirect?user=******@test.com\,\"SendInvitationMessage\":true}"
}
Microsoft Security | Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Romano, Andrea 0 Reputation points
    2023-12-28T11:42:32.0533333+00:00

    First of all, I call the token endpoint like this

    https://login.microsoftonline.com/common/oauth2/v2.0/token with scope=https://graph.microsoft.com/.default+offline_access

    and this is the access token with all requested scope

    User's image

    after this I call this endpoint https://login.microsoftonline.com/62e5b718-62de-4db7-a266-95607648b40b/oauth2/v2.0/token to request new refresh access token with scope https://graph.microsoft.com/.default

    I see that the new token has only "profile openid email" scopes, why?

    I have tried also with .net library, but with the same error.

    var scopes = new[] { ”https://graph.microsoft.com/.default” };

// Values from app registration
var clientId = “CLIENT_ID”;
var tenantId = "62e5b718-62de-4db7-a266-95607648b40b";
var clientSecret = ”CLIENT_SECRET”;

// using Azure.Identity;
var options = new ClientSecretCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud
};

// https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential
var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);

var invitation = new Invitation
{
    InviteRedirectUrl = “https://...”,
    InvitedUserEmailAddress = ”andrea.romano@*****.com”,
    SendInvitationMessage = true
};
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var result = await graphClient.Invitations.PostAsync(invitation);
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.