SignIn Events Azure AD Graph API wrong next link

Nikita Krivets 481 Reputation points
2019-12-13T08:01:18.75+00:00

Hello,

I understand that MS Graph API would be a proper way to do it, but I still have to use Azure AD Graph API. So, I put my request for signInEvents at https://graphexplorer.azurewebsites.net/#. It works as I got my events. The response contains

"@odata.context": "https://reportingservice.activedirectory.windowsazure.com/tenant/activities/$metadata#signinEvents"

value: []

"@odata.nextLink": "https://reportingservice.activedirectory.windowsazure.com/tenant/activities/signinEvents?api-version=beta&%24skiptoken=token_1000"

It is not possible to use the next link because it doesn't work. If you replace reportingservice.activedirectory.windowsazure.com with graph.windows.net as in my original request it works as expected. I don't think that it is a proper workflow to change the next link every time. Is it a bug?

I have tested it with my own application. Firstly, I have assigned delegated permissions, then I removed them and assigned application permissions.

Permissions:

  • Azure Active Directory Graph (Directory.Read.All)
  • Microsoft Graph (Directory.Read.All)

With delegated permission assigned I have got an exception "AADSTS65001: The user or administrator has not consented to use the application"

With application permissions assigned I have got an exception Authentication_ApplicationHasNoDirectoryReadAccess

All requests to graph.windows.net were successfully performed.

What kind of permissions do I need to have then? And how I should use this "reportingservice.activedirectory.windowsazure.com" next link?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

Accepted answer
  1. FrankHu-MSFT 976 Reputation points
    2019-12-13T23:58:44.293+00:00

    how are you getting your access token? It seems like when you're utilizing a flow that's most likely client credentials as it sounds like you're not getting the delegated permissions, but the application permissions. For more information on permissions I suggest taking a look here : https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/

    In addition to that, per your response the AAD Graph API is being deprecated and not supported anymore. If you'd like to get the next page feature working, please utilize the microsoft Graph API.

    If you'd like there to be further support for the AAD Graph API please submit your feedback here : https://feedback.azure.com/forums/169401-azure-active-directory and if there's enough community support the product team will look into putting this on the roadmap for the future.

    You could also file a support ticket to see if you can get this enabled/supported for your specific scenario.

    Thanks,

    • Frank Hu

0 additional answers

Sort by: Most helpful