Share via

How to resolve 401 for Graph API https://graph.microsoft.com/v1.0/me/todo/lists

Simon B 20 Reputation points
2024-08-07T01:01:10.4066667+00:00

Hey,

I've created an application which works with OAuth Authentication flow to run Graph apis delegated on behalf of the user. My Authoirzation flow works fine with the user having to consent the required permission,
Access Token which I get has the following scope:

the resulting access token works fine for https://graph.microsoft.com/v1.0/me

but https://graph.microsoft.com/v1.0/me/todo/lists always fails with 401 Unauthorized.
Application is configured for:
grafik

I've decoded the token via jwt.ms but cannot find any issue with it.

{ "typ": "JWT",
 "nonce": "XVUwjH0MSe12pi7yLVR_XT50eYDGQQPqw8CKdxbHans",
 "alg": "RS256",
 "x5t": "KQ2tAcrE7lBaVVGBmc5FobgdJo4",
 "kid": "KQ2tAcrE7lBaVVGBmc5FobgdJo4" 
}
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/[MY_TENANT_ID]/",
"iat": 1722989537,
"nbf": 1722989537,
"exp": 1722993572,
"acct": 0,
"acr": "1",
"aio": "AYQAe/8XAAAAqL0ZLuX29inDvlpA5Gwd9S3t+1U8LK0DH6c3MFaiytkjUMBb95pBER8i9jUpNi/HKFeW7psDiv9PkutLpYNrXJmQvAgYKzLAjh29JbgbG/NMlBCAUKS+F/ORQyi6u8kfggAj7MnI3nT9e/dcH39LZRfdtjaTsLoRsmL7IVxXm2Q=",
"altsecid": "1:live.com:0003BFFDD309A7AF",
"amr": [ "pwd", "mfa" ],
"app_displayname": "Eat Sleep Repeat",
"appid": "[MY_APP_ID]",
"appidacr": "1", 
"email": "******@googlemail.com",
"family_name": "xxxxx",
"given_name": "Simon",
"idp": "live.com",
"idtyp": "user",
"ipaddr": "[MY_IP_ADDRESS]",
"name": "XXXX", 
"oid": "[MY_OID]", 
"platf": "3",
"puid": "10032003AF6B0F67",
"rh": "0.ARMB13e5fCHNfUq1g9n5l97n0gMAAAAAAAAAwAAAAAAAAAATAYE.",
"scp": "Calendars.Read Tasks.ReadWrite User.Read profile openid email",
"signin_state": [ "kmsi" ],
"sub": "4bVb9RrEzFMI5yUkUo873H8GP9Y1RNfv1PZMEthJNig",
"tenant_region_scope": "EU",
"tid": "[MY_TENANT_ID]",
"unique_name": "XXXXXXX",
"uti": "G3voec9KR0yUuwYDqj0OAA",
"ver": "1.0",
"wids": [ "62e90394-69f5-4237-9190-012177145e10", "b79fbf4d-3ef9-4689-8143-76b194e85509" ], "xms_idrel": "1 24",
"xms_st": { "sub": "_qTiJ_riOzuRMGojxVOvgKv5IVdDtJETm63nMN78S_s" },
"xms_tcdt": 1722785256,
"xms_tdbr": "EU" }

Manifest of my application:


{
	"id": "[ID]",
	"acceptMappedClaims": null,
	"accessTokenAcceptedVersion": null,
	"addIns": [],
	"allowPublicClient": null,
	"appId": "[Application (client) ID]",
	"appRoles": [],
	"oauth2AllowUrlPathMatching": false,
	"createdDateTime": "2024-08-04T21:51:20Z",
	"description": null,
	"certification": null,
	"disabledByMicrosoftStatus": null,
	"groupMembershipClaims": null,
	"identifierUris": [],
	"informationalUrls": {
		"termsOfService": null,
		"support": null,
		"privacy": null,
		"marketing": null
	},
	"keyCredentials": [],
	"knownClientApplications": [],
	"logoUrl": "https://aadcdn.msftauthimages.net/c1c6b6c8-mvt0wqms4gutfewngm7iwquwopp5hf8diwmd1xl1t0g/appbranding/x4xuygxt5ixtbooirhp85ogkwo0ub5ocgzndd-8spdo/1033/bannerlogo?ts=638584071799305155",
	"logoutUrl": null,
	"name": "Eat Sleep Repeat",
	"notes": null,
	"oauth2AllowIdTokenImplicitFlow": false,
	"oauth2AllowImplicitFlow": false,
	"oauth2Permissions": [],
	"oauth2RequirePostResponse": false,
	"optionalClaims": null,
	"orgRestrictions": [],
	"parentalControlSettings": {
		"countriesBlockedForMinors": [],
		"legalAgeGroupRule": "Allow"
	},
	"passwordCredentials": [
		{
			"customKeyIdentifier": null,
			"endDate": "2025-02-01T23:56:48.646Z",
			"keyId": "[KEY_ID]",
			"startDate": "2024-08-05T22:56:48.646Z",
			"value": null,
			"createdOn": "2024-08-05T22:56:50.4459586Z",
			"hint": "mU0",
			"displayName": "DFLT_CRED2"
		},
		{
			"customKeyIdentifier": null,
			"endDate": "2025-02-01T23:54:02.239Z",
			"keyId": "[KEY_ID]",
			"startDate": "2024-08-05T22:54:02.239Z",
			"value": null,
			"createdOn": "2024-08-05T22:54:06.1710153Z",
			"hint": "5_h",
			"displayName": "DFLT_CRED"
		}
	],
	"preAuthorizedApplications": [],
	"publisherDomain": "[MY_DOMAIN]",
	"replyUrlsWithType": [
		{
			"url": "[MY_URL]/get-token",
			"type": "Web"
		}
	],
	"requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42",
					"type": "Scope"
				},
				{
					"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
					"type": "Scope"
				},
				{
					"id": "2219042f-cab5-40cc-b0d2-16b1540b4c5f",
					"type": "Scope"
				},
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				}
			]
		}
	],
	"samlMetadataUrl": null,
	"signInUrl": null,
	"signInAudience": "AzureADMyOrg",
	"tags": [],
	"tokenEncryptionKeyId": null
}

What do I need to change to get https://graph.microsoft.com/v1.0/me/todo/lists to work? - Thanks!

Microsoft Security | Microsoft Graph
0 comments
Answer accepted by question author
  1. Anonymous
    2024-08-12T08:33:16.7266667+00:00

    @Simon B Thank you for sharing the solution.

    Question:

    When a personal account accesses the Graph API using auth code flow, the correct permissions are granted, and access to the /me endpoint is normal, but access to /me/todo/lists always fails without 401 authentication.

    Solution:

    Switched supported account types to personal accounts only: grafik

    made sure that all calls are no longer going for my Directory (tenant) ID but rather against the consumers tenant. So e.g.

    https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize

    https://login.microsoftonline.com/consumers/oauth2/v2.0/token

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-08-07T01:43:50.43+00:00

    Hi @Simon B

    Your parsed token looks fine, but there is still 401 error, please check whether the token is invalid or has expired, generally, the validity period of the token is 1 hour, after the expiration, use the refresh token to obtain a new token and try again.

    You can also try testing it in Graph Explorer first. After testing, grant the Tasks.Read permission to your application, and you can list task lists normally.

    Reference documents are as follows:

    https://learn.microsoft.com/en-us/graph/resolve-auth-errors#401-unauthorized-error-is-your-token-valid

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

  2. Simon B 20 Reputation points
    2024-08-09T23:26:18.8766667+00:00

    I've got it resolved for my use case.

    Switched supported account types to personal accounts only:
    grafik

    made sure that all calls are no longer going for my Directory (tenant) ID but rather against the consumers tenant. So e.g.
    https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize

    https://login.microsoftonline.com/consumers/oauth2/v2.0/token

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.