Use metered API with on-behalf-of authentication

Valentyn Derkach 0 Reputation points
2024-09-11T09:07:28.47+00:00

We are calling MS Graph API endpoints that require metered API to be enabled (e.g. assignSensitivityLabel). Microsoft.GraphServices/accounts resource for our app has been created according to documentation. Call is working fine when we use client credentials flow, but it returns 402 Payment Required error in case we use on-behalf-of flow.

In both flows we pass our app id as client_id and set scope to https://graph.microsoft.com/.default. App token has following claims:

{
  "aud": "https://graph.microsoft.com/.default",
  "iss": "https://sts.windows.net/{tenantId}/",
  "idp": "https://sts.windows.net/{tenantId}/",
  "appid": "{applicationId}",
  "idtyp": "app",
  "roles": [
    "Sites.Selected",
    "Sites.ReadWrite.All",
    "Mail.Send"
  ],
  "tid": "{tenandId}"
}

User token:

{
  "aud": "https://graph.microsoft.com/.default",
  "iss": "https://sts.windows.net/{tenantId}/",
  "idp": "https://sts.windows.net/{tenantId}/",
  "appid": "{applicationId}",
  "idtyp": "user",
  "scp": "Group.Read.All Sites.ReadWrite.All Sites.Selected User.Read User.Read.All profile openid email",
  "tid": "{tenandId}"
}

Error returned by assignSensitivityLabel endpoint when invoked with user JWT is:

{
  "error": {
    "code": "paymentRequired",
    "message": "Payment Required. Ensure that your application is able to call this premium API.For details see https://aka.ms/graph-metered-overview"
  }
}

In addition to that we are able to invoke https://{tenantId}.sharepoint.com/_api/v2.1/drives/{driveId}/items/{itemId}/setSensitivityLabel with user JWT that we specifically obtain for SharePoint API via on-behalf-of flow. That call doesn't return any errors.

Is there any chance to get it working with on-behalf-of flow?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,041 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Hitesh Pachipulusu - MSFT 2,145 Reputation points Microsoft Vendor
    2024-09-13T13:18:54.13+00:00

    Hello Valentyn Derkach,

    Thank you for contacting Microsoft Support!

    The 402 Payment Required error you’re encountering with delegated permissions when calling the assignSensitivityLabel endpoint indicates that the user token might not be properly licensed for the metered API. Here are a few steps you can take to resolve this issue:

    1. Verify Licensing: Ensure that the user account has the necessary licenses to access the metered API. The error message suggests checking the Graph metered API overview for details on required licenses.
    2. Check Permissions: Confirm that the delegated permissions granted to the user include the necessary scopes for the metered API. The user token should have the appropriate permissions to perform the action.
    3. Billing Setup: Make sure that your Azure billing subscription is correctly set up for the application. This includes setting up a payment model for each API request of a metered API.
    4. Consent: Ensure that the user has consented to the required permissions.

    Hope this helps!

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.