Accesing (work) events through Graph API using device code workflow

Expresto 1 Reputation point
2020-04-15T09:36:28.53+00:00

Hello everyone,

I try to access the calendar events (Graph API) of my work account via an app I registered on my personal account. As the API calls will be made from a microcontroller, I use the device auth flow to get the necessary token.
I have registered the app and added the default redirect URL ("https://login.microsoftonline.com/common/oauth2/nativeclient"). Supported account types are personal and organizational accounts. API permissions as follows:
7333-api-permissions.png

Now I start the device auth flow: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/devicecode", log my work user into the account, granting permissions and poll the access token via "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token". The result looks like this:

{  
    "token_type": "Bearer",  
    "scope": "Calendars.Read Calendars.ReadWrite email Mail.Read Mail.ReadWrite openid profile User.Read",  
    "expires_in": 3599,  
    "ext_expires_in": 3599,  
    "access_token": "eyJ0...",  
    "refresh_token": "OAQA..."  
}  

So far so nice :)

Using the access token I'm able to call the graph API and see the user account details: https://graph.microsoft.com/v1.0/me

But as soon as I try to get the current events ("https://graph.microsoft.com/v1.0/me/events") I get an error:

{  
  "error": {  
    "code": "NoPermissionsInAccessToken",  
    "message": "The token contains no permissions, or permissions can not be understood.",  
    "innerError": {  
      "request-id": "f391dbdf-fd8a-49c8-abd1-109d1a38ba2f",  
      "date": "2020-04-15T09:26:00"  
    }  
  }  
}  

The "funny" thing is that the very same requests works, using the Graph Explorer App. I thought that they might have blocked access at my company but why should the graph explorer app work then?

When looking into the JWT, I can see that the required scopes are there:

"scp": "Calendars.Read Calendars.ReadWrite email Mail.Read Mail.ReadWrite openid profile User.Read"  

Any ideas how to resolve this? There must be somethign I forgot...

Thanks a lot!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-07-07T21:56:33.647+00:00

    You've to update your code to send requests to /common. EG:

    GET https://login.microsoftonline.com/common/oauth2/v2.0/devicecode
    POST https://login.microsoftonline.com/common/oauth2/v2.0/token