MS Graph Contacts Error: ErrorInvalidUser

Question

MS Graph Contacts Error: ErrorInvalidUser

d6 0

Hello,

I have a bot that updates all company contacts to ensure everyone has up-to-date information, including on their phones. The bot is a multi-tenant application that has received admin consent from foreign tenants for the following permissions: Contacts.ReadWrite (Application) and User.Read (Delegated).

The issue I'm encountering is that while the bot works perfectly for users within our tenant, it fails to access contacts for users in foreign tenants. I understand that the problem might be related to the fact that the requested user is not part of our tenant. Despite adding them as guests, this did not resolve the issue.

Here are the details of what I have tried:

I used the URL https://login.microsoftonline.com/{{tenantID}/oauth2/v2.0/token, where tenantID corresponds to the tenant where the application resides.
I also attempted authentication with different tenantIDs. Although this resulted in losing access to users from other tenants, I did not gain access to users in the intended tenant.
Authentication consistently provided a valid Access Token without issues.

My questions are:

Am I missing something in the configuration or authentication process?
What additional steps should I take to ensure that the bot can access user contacts across different tenants?
Are there specific settings or permissions that need to be addressed for foreign tenants?

Any guidance or suggestions would be greatly appreciated!

Thank you

0 comments

1 answer

Your answer

Answer 1

CarlZhao-MSFT 46,456

Hi @d6

Once the global administrator of the target tenant approves your multi-tenant application, it will be added as an enterprise application to the target tenant. At this time, you will be able to request tokens to access the contacts of users in the target tenant.

Please note that when requesting tokens, you need to change the tenant ID to the target tenant’s ID.

POST /{id of the target tenant}/oauth2/v2.0/token HTTP/1.1           //Line breaks for clarity
Host: login.microsoftonline.com:443
Content-Type: application/x-www-form-urlencoded

client_id=00001111-aaaa-2222-bbbb-3333cccc4444
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials

Additionally, you need to ensure that the users in the target tenant have MS 365 licenses.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

d6 0 Reputation points

2024-08-12T10:36:36.8333333+00:00

Hello

Thank you for pointing me to the right direction.
I see that I will have to request multiple access tokens.
I will continue troubleshooting as even with the other tenant authentication flow, I still receive an invalid user.

I am assuming that the targeted tenant has its users covered with a MS 365 license since they do have access to the entire office fleet but I will ask to make sure.
d6 0 Reputation points

2024-08-12T12:27:21.47+00:00

Thank you Carl. I did understand it a bit wrong and I will need multiple Access Tokens if I want to get contacts from multiple tenants. It still gives me the ErrorInvalidUser sadly.

The Authentication Flow did give me a token. They do have a 365 Business Standard License. Not sure what I am missing at this point as the other tenant where the app resides, works just fine. Could it be that I need additional Permissions like Application.User.Read or something? The graph docs, show that is should already be working.

Share via

MS Graph Contacts Error: ErrorInvalidUser

1 answer

Your answer