How to allow my (desktop/server) app access to other, non-admin, users' contacts & emails

Admin 6 1 Reputation point
2021-01-29T04:31:05.397+00:00

I'm the admin of Office365 organization.

I've written an app that can read information from emails, and read/write contacts.

However this program doesn't have access to other users besides the admin.

I applied various permissions: application permissions, delegation permissions but there's still no access to contacts or emails of other users.

This SO guy claims to solve the problem. Yet, I can't figure out where or how to "change access token grant flow type":

"Changing OAuth 2.0 access token grant flow type from Authorization Code to Client Credentials and specifying a scope of graph.microsoft.com/.default uses the Application Type permissions"

  • My app is meant to be run from my desktop, or from a server.
  • The app don't have a user interface, and does NOT interact with users.
  • These are the permissions I have right now:

61712-permissions.png

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,043 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,516 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,696 Reputation points
    2021-02-02T11:07:34.647+00:00

    Hi @Admin 6 · Thank you for reaching out.

    I can confirm that it works with Client_Credentials flow with Application Permissions Contacts.Read or Contacts.ReadWrite and scope set to https://graph.microsoft.com/.default.

    The problem I see in your case is, you have not granted admin consent for Contacts.Read or Contacts.ReadWrite Application permission. Delegated permissions won't work when you acquire token using client_credentials flow as it uses application context.

    Please grant admin consent to these permissions and acquire a new token. Decode the new token at https://jwt.ms and make sure the roles claim include Contacts.Read or Contacts.ReadWrite or both permissions as shown below:

    63022-image.png

    Once the token is acquired with above permissions, make below call along with Authorization Header with value bearer <your_access_token>:

    https://graph.microsoft.com/v1.0/users/<object_id_or_upn_of_user>/contacts

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.