Share via

403 error when calling graph api with logged user's accessToken

sachindave 35 Reputation points
2025-03-04T09:48:19.45+00:00

Hi There,

I am trying to call MS Graph API using the logged in users access token to fetch group displayName attribute based on the group id which I am getting from the ID Token. I have made sure that logged in user's access token as all the required scopes.

"scp": "Directory.Read.All email Group.Read.All GroupMember.Read.All openid profile User.Read User.Read.All",

But still I am getting 403 forbidden error in my java spring boot web app.

I want to call Microsoft graph API using on behalf of user's access Token. Is it possible to do in Microsoft Entra External Id? If yes, Do let me know how can achieve this?

Best regards,
Dev

Microsoft Security Microsoft Entra Microsoft Entra External ID
0 comments
Accepted answer
  1. Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator
    2025-03-06T05:39:24.9966667+00:00

    Hi @sachindave,

    Thank you for posting your query on Microsoft Q&A.

    Based on your query, I understand that you are receiving an error while retrieving the group memberships using user access token and would like to achieve with on behalf of scenario.

    If you would like to retrieve an access token with on behalf of scenario, you need to use client credential flows. To use client credential flow, you may need to use only application permissions to the application.

    As per your requirement, you need to go with this document: Permissions for another user's direct memberships.

    Based on this document, you need to provide application permission to the application.

    Application Directory.Read.All(Least privilege) Directory.ReadWrite.All(Highest)

    To provide application permissions, follow these steps:

    • Login to Azure portal as global admin and browse to Entra ID.
    • Under Manage, select app registrations and choose the applications.
    • Go to API permissions, Click add permission -> Microsoft Graph API --> Application permissions.
    • Add Directory.ReadWrite.All permission to the application and provide admin consent.

    Once the permission has been added to the application, you can now use client credential flow to retrieve access token on behalf of user using the following document: Microsoft identity platform and the OAuth 2.0 client credentials flow

    Additional documents:

    On behalf of documents: Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow

    Listing group memberships using Graph API: List a user's direct memberships

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.