How to retrieve a correct token to request Reports on Graph

asked 2019-12-12T14:50:19.113+00:00
Gilles T 1 Reputation point

Hello

I have registered an apps with Reports.Read.All permissions with delegation and Admin Consent
I try to retrieve reports (email, onedrive, ...), but I don't succeed. The token retrieved nerver contains the permission Reports.Read.All

$credentials = Get-Credential

$Uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$Body = @{
grant_type = "client_credentials"
client_id = $ClientId
client_secret = $ClientSecret
scope = 'https://graph.microsoft.com/.default'
redirect_uri = 'https://localhost/'
username = $credentials.GetNetworkCredential().username
password = $credentials.GetNetworkCredential().password
}
$AuthResult = Invoke-RestMethod -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body

The token has insuffisant rights to call https://graph.microsoft.com/v1.0/reports/getEmailActivityUserDetail(period='D7')

Where is the problem ?

Regards
Gilles

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,581 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2019-12-12T22:23:18.207+00:00
    FrankHu-MSFT 971 Reputation points

    The reason you're getting this error is because you're utilizing the client credential flow which only gets application permissions because it's on behalf of the service principal. In order to get an access token with the delegated permission, you'll need to utilize a different flow. For more information on how to do this utilize take a look at the powershell and ADAL/MSAL libraries : https://github.com/shawntabrizi/Azure-AD-Authentication-with-PowerShell-and-ADAL

    And for more information on the different kinds of permissions take a look at : https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-permissions-and-consent

    No comments

  2. answered 2019-12-17T16:18:59.997+00:00
    Gilles T 1 Reputation point

    Hello

    Thank you for you response
    I have tryied to connect like you suggest using RESTwithAppKey.ps1
    In the token, I retrieve less roles than with my previous try.
    Do you I have to use a different method to retrieve the tokent ?

    Regards
    Gilles

    No comments