Entra ID: Not able to access `/me` using Graph API for users not under my tenant

Question

Context: We have created an Entra Id app using which we users under any tenant to be able to authenticate. So, that we can fetch basic details of the user. As of now our app is just configured for User.Read permission

Issue: Currently when a user(From same tenant as the app) signs in and provides consent to our app, we are able to execute GRAPH API /me route and fetch basic details. But when a user who is not in the same tenant as the app we are able to fetch ID TOKEN but when we execute GRAPH API /me route we get an error stated below;

Error: Exactly from client side -

The request was denied because one or more scopes requested are unauthorised or expired. The user must first sign in and grant the client application access to the requested scope.

Attaching screenshot of the consent screen:

Answer 1

The issue you’re encountering is related to the scope of permissions granted to your application. When a user from the same tenant as the app signs in and provides consent, your app is able to execute the GRAPH API /me route and fetch basic details. However, when a user from a different tenant tries to do the same, you’re able to fetch the ID TOKEN, but the /me route fails.

This is because the /me endpoint works in the context of the signed-in user. If the user is not from the same tenant or hasn’t provided the necessary consent, the request will fail.

One possible solution is to use the user’s user principal name in the current tenant instead of the user principal name in their home tenant.

Another approach is to use Application permissions instead of Delegated permissions. Application permissions allow you to call the Graph API on behalf of the application, so it doesn’t require users to sign in. However, using Delegated permissions is generally safer since it generates an access token with a limited scope.

Remember to ensure that the necessary permissions are configured correctly in your Azure AD application, and that users from other tenants have granted the necessary consent to your application.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 2

The issue you’re encountering is related to the scope of permissions granted to your application. When a user from the same tenant as the app signs in and provides consent, your app is able to execute the GRAPH API /me route and fetch basic details. However, when a user from a different tenant tries to do the same, you’re able to fetch the ID TOKEN, but the /me route fails.

This is because the /me endpoint works in the context of the signed-in user. If the user is not from the same tenant or hasn’t provided the necessary consent, the request will fail.

One possible solution is to use the user’s user principal name in the current tenant instead of the user principal name in their home tenant.

Another approach is to use Application permissions instead of Delegated permissions. Application permissions allow you to call the Graph API on behalf of the application, so it doesn’t require users to sign in. However, using Delegated permissions is generally safer since it generates an access token with a limited scope.

Remember to ensure that the necessary permissions are configured correctly in your Azure AD application, and that users from other tenants have granted the necessary consent to your application.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".