Cannot get responses from the MS Graph API

Question

Cannot get responses from the MS Graph API

Jorziño Barradas 20

Hello community,

I am new to APIs and for sure to Microsoft Grant APIs.

I have followed the instructions in the articles below to register a new application.

In one of the articles that explains how to access token is better to use the Microsoft Authentication Library (MSAL) (see third link).

I was able to follow the instructions accordingly and clone the application provided by MS in GitHub (see 4th link).
The request was successful as I have inserted my tenant details successfully in this code and run the file:

{
"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "TenantId": "Enter the tenant ID obtained from the Microsoft Entra admin center",
  "ClientId": "Enter the client ID obtained from the Microsoft Entra admin center",
  "ClientCertificates": [
    {
      "SourceType": "StoreWithThumbprint",
      "CertificateStorePath": "CurrentUser/My",
      "CertificateThumbprint": "Enter the certificate thumbprint obtained the Microsoft Entra admin center"
    }   
  ],
  "CallbackPath": "/signin-oidc"
},
  "DownstreamApi": {
    "BaseUrl": "https://graph.microsoft.com/v1.0/",
    "RelativePath": "me",
    "Scopes": [ 
      "user.read" 
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

However, when I change the RelativePath to "me/messages" to get all my emails I received the following error:

An unhandled exception occurred while processing the request.

HttpRequestException: Invalid status code in the HttpResponseMessage: Unauthorized: {"error":{"code":"AuthOMMissingRequiredPermissions","message":"The AadGuestPft token doesn't contain the permissions required by the target API for calling app...

Further, I have also tried to get an access token by running the following link:

https://login.microsoftonline.com/[mytenant]/oauth2/v2.0/token -> (have removed my tenant id but was located at [mytenant]

But I have also getting this message:

Sorry, but we’re having trouble signing you in.

AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request.

Can someone please help me this? I would need to also query this data for other people in my organization.

Any help will be much appreciated.

Instructions Followed

https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http#use-the-microsoft-authentication-library-msal

https://learn.microsoft.com/en-us/graph/auth/auth-concepts

https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-web-app-dotnet-core-sign-in

Accepted answer

0 additional answers

Your answer

Answer 1

Anonymous

Hi @Jorziño Barradas

Accessing /me/messages endpoints requires the app to have delegation permissions

Mail.ReadBasic or Mail.Read.

There are two ways to grant delegation permissions, as follows:

The first way, Grant in a Microsoft Entra ID, as shown below:

User's image

The second way, send a GET request to grant, the request content is as follows:

GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=offline_access user.read mail.read
&state=12345

To get a token, you need to send a POST request, which reads as follows:

POST /{tenant}/oauth2/v2.0/token
client_id={client_id}
&scope=offline_access user.read mail.read
&code={code}
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret={client_secret}

See the link below for more details:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0&tabs=http

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Jorziño Barradas 20 Reputation points

2024-06-19T03:04:53.77+00:00

Hi @Anonymous ,

Thank so much for replying.

I have provided the application those rights from the Entra ID center.
Do you have an email or support account where I can call you through Teams to share my screen?

Please let me know.
Jorziño Barradas 20 Reputation points

2024-06-19T03:05:33.8833333+00:00

If so, please let me know when you will be available through the day?
Anonymous

2024-06-19T07:45:09.87+00:00

Hi @Jorziño Barradas

We can only reply to you in the Q&A forum, our policy do not support calls on teams.
Jorziño Barradas 20 Reputation points

2024-06-19T15:34:12.2066667+00:00
Hi @Anonymous

Thank you for your reply and understood.

TO access the token do I need to run this in Postman, or can I insert the code in the browser?

Furhter, the value in the redirect_uri is default or do I need to provide it my own redirect uri. If I need to provide it my own redirect uri, how can I create this uri?

POST /{tenant}/oauth2/v2.0/token client_id={client_id} &scope=offline_access user.read mail.read &code={code} &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &grant_type=authorization_code &client_secret={client_secret}
Anonymous

2024-06-20T08:44:41.81+00:00

Hi @Jorziño Barradas

Yes, the value of redirect_uri is your custom redirect uri, as shown in the following figure:

More details can be found in this document:

https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-web-app-dotnet-prepare-app?tabs=visual-studio#add-a-platform-redirect-uri

You can refer to this tutorial to implement the user login to get the token:

https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-web-app-dotnet-sign-in-users?tabs=visual-studio#implement-authentication-and-acquire-tokens

Jorziño Barradas 20

Hi @Anonymous ,

I can't thank you enough for helping me with this request.
I have followed the links that you have provided me and I was able to query the data.
I have followed the instructions until the "Tutorial: Call an API and display the results" and I can run the API successfully using my https://localhost:{port} link.

So if I run the project in VS it will display the API results with the localhost link in my browser.

This is good because I want to replicate the same results using a web link.
However, the localhost is a web link but it is not public. I can't access this link if I am not using Visual Studio.

Thus, I would like to convert the localhost link to this link:

https://graph.microsoft.com/v1.0/$metadata#users

Further, I have also followed the guidelines for Registering a web API with the MS identity platform. In this tutorial, I would need to use cURL to run the commands and I still see the localhost link in the URL command, and using cURL would make the process still manual (see code below).

Therefore I have a couple of questions:

How can I convert the https://localhost:{my port} to a web link so that I can run this with Power Automate?
I want to automate the process also for requesting an access token, do I need to migrate the application in VS to Azure to be able to request the access token with Power Automate?

The bottomline is that I want to automate all the requests using Power Automate so that I can update the Power BI dashboard automatically.

If you know another way to automate this, please let me know also.

Thanks again, I really appreciate your help.

curl -X GET https://localhost:{my port}/weatherforecast -ki \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyIsImtpZCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyJ9.eyJhdWQiOiJhcGk6Ly9iNmZkNDQ2Ni0xYmI0LTQ0ZmUtOTU5NC1hNjk4ZTk5ZGE5ZGYiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xOTQ0OTAxNS1hMGE2LTRlNjMtYjA5Ni1iNWM0Y2YyZTljZTgvIiwiaWF0IjoxNzE5MzI3NTk3LCJuYmYiOjE3MTkzMjc1OTcsImV4cCI6MTcxOTMzMzE0MywiYWNyIjoiMSIsImFpbyI6IkFWUUFxLzhYQUFBQTNXZmRBNzhvblNDbStUbUxUN3FhZXplVjhIU0ltdmFUSTlFbjdTeHhzWnZiVkxqTG15YWFqYVdoUWF4SjlSRUo2SXM0MzVqUm4yVVdYU2N6WHpHeFp5aUs4THpycmRXcnhkWTlkTDFQY2JBPSIsImFtciI6WyJwd2QiLCJtZmEiXSwiYXBwaWQiOiI2MTU1N2MwZS1lMWYzLTQ2MjktYjkwMC1lYmY2NDMzNjAzZTUiLCJhcHBpZGFjciI6IjEiLCJmYW1pbHlfbmFtZSI6IkJhcnJhZGFzIiwiZ2l2ZW5fbmFtZSI6Ikpvcnppw7FvIiwiaXBhZGRyIjoiMTkwLjQuMTg2LjI2IiwibmFtZSI6Ikpvcnppw7FvIEJhcnJhZGFzIiwib2lkIjoiYmRjMjIyNWItZTE4OS00OGE1LTg5M2MtMGFiYjNjMGNjMTgwIiwicmgiOiIwLkFhZ0FGWkJFR2FhZ1kwNndsclhFenk2YzZHWkVfYmEwR181RWxaU21tT21kcWQtb0FNVS4iLCJzY3AiOiJGb3JlY2FzdC5SZWFkIiwic3ViIjoiRGx5Yi1wSUdPM3oxTXhEV1VYeGx3VWlSVFM3TkUxbm0zcVVic3JabDdyQSIsInRpZCI6IjE5NDQ5MDE1LWEwYTYtNGU2My1iMDk2LWI1YzRjZjJlOWNlOCIsInVuaXF1ZV9uYW1lIjoiSm9yemlub0JhcnJhZGFzQEVUZWNob2xvZ2llcy5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJKb3J6aW5vQmFycmFkYXNARVRlY2hvbG9naWVzLm9ubWljcm9zb2Z0LmNvbSIsInV0aSI6IkY1Z3VkM2NIVFVpeDN2cXBxTmktQVEiLCJ2ZXIiOiIxLjAifQ.COy1HHDEBz_KoRInkg6omik5TGTuodL_PaqLOB47yKLH5wUMgMqkjlxYztqlpxfjuPyJu48tKNartUtxjKu3V4VMInqf-5nEHOG8fXoYlzdQ682K54jiYmx93BwylerITrZb6EPm_fRP1e5Mdq1t_ecKXe1PS_Rofpxv-YlFIlsuQGVXulXD9EB4UqS1RzMBPQKj7M7d6tJG8wrdroBZHza_EeGxMzIWr6_5UgO9P4AT1uKfiuUon7GUsvEtrN1m5CeW71g2xOcu-q0hYcBMTmWHTjgA1Tb3cleuWAJMxVbbIDtUG0ieLjG3xBNIiHdYpf7fvBbBC9r1v290i2Z0_Q"

Anonymous

2024-06-28T07:26:27.43+00:00

Hi @Jorziño Barradas

For your new question, please open a new question and add a hashtag related to your question. If your previous question has been solved, then you can click "Accept the answer", which will help members with similar questions find the answer more easily. Thank you very much!

Share via

Cannot get responses from the MS Graph API

0 additional answers

Your answer