Share via

Use metered API with on-behalf-of authentication

Valentyn Derkach 0 Reputation points
2024-09-11T09:07:28.47+00:00

We are calling MS Graph API endpoints that require metered API to be enabled (e.g. assignSensitivityLabel). Microsoft.GraphServices/accounts resource for our app has been created according to documentation. Call is working fine when we use client credentials flow, but it returns 402 Payment Required error in case we use on-behalf-of flow.

In both flows we pass our app id as client_id and set scope to https://graph.microsoft.com/.default. App token has following claims:

{
  "aud": "https://graph.microsoft.com/.default",
  "iss": "https://sts.windows.net/{tenantId}/",
  "idp": "https://sts.windows.net/{tenantId}/",
  "appid": "{applicationId}",
  "idtyp": "app",
  "roles": [
    "Sites.Selected",
    "Sites.ReadWrite.All",
    "Mail.Send"
  ],
  "tid": "{tenandId}"
}

User token:

{
  "aud": "https://graph.microsoft.com/.default",
  "iss": "https://sts.windows.net/{tenantId}/",
  "idp": "https://sts.windows.net/{tenantId}/",
  "appid": "{applicationId}",
  "idtyp": "user",
  "scp": "Group.Read.All Sites.ReadWrite.All Sites.Selected User.Read User.Read.All profile openid email",
  "tid": "{tenandId}"
}

Error returned by assignSensitivityLabel endpoint when invoked with user JWT is:

{
  "error": {
    "code": "paymentRequired",
    "message": "Payment Required. Ensure that your application is able to call this premium API.For details see https://aka.ms/graph-metered-overview"
  }
}

In addition to that we are able to invoke https://{tenantId}.sharepoint.com/_api/v2.1/drives/{driveId}/items/{itemId}/setSensitivityLabel with user JWT that we specifically obtain for SharePoint API via on-behalf-of flow. That call doesn't return any errors.

Is there any chance to get it working with on-behalf-of flow?

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hitesh Pachipulusu - MSFT 3,640 Reputation points Microsoft External Staff
    2024-09-13T13:18:54.13+00:00

    Hello Valentyn Derkach,

    Thank you for contacting Microsoft Support!

    The 402 Payment Required error you’re encountering with delegated permissions when calling the assignSensitivityLabel endpoint indicates that the user token might not be properly licensed for the metered API. Here are a few steps you can take to resolve this issue:

    1. Verify Licensing: Ensure that the user account has the necessary licenses to access the metered API. The error message suggests checking the Graph metered API overview for details on required licenses.
    2. Check Permissions: Confirm that the delegated permissions granted to the user include the necessary scopes for the metered API. The user token should have the appropriate permissions to perform the action.
    3. Billing Setup: Make sure that your Azure billing subscription is correctly set up for the application. This includes setting up a payment model for each API request of a metered API.
    4. Consent: Ensure that the user has consented to the required permissions.

    Hope this helps!

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.