Do I need admin consent on calendar operations?

Luis Veliz 1 Reputation point
2020-06-23T21:07:06.967+00:00

I'm working on a project in which I need to create events in my calendar, for this I am using the GRAPH API and there should be no user interaction (daemon app).

  • I'm using my personal account.
  • I'm trying with the application permissions for daemon apps
  • I followed these steps (the only thing I'm missing is the admin consent)

As a test I am making a call in Postman to which I add the token I got from the URL

App.java

 public static void main(String[] args) {  
  
        final Properties config = new Properties();  
  
        try {  
  
            config.load(App.class.getResourceAsStream("oAuth.properties"));  
  
            final String APPLICATION_ID = config.getProperty("app.id");  
            final String TENANT_ID = config.getProperty("tenant.id");  
            final String CLIENT_SECRET = config.getProperty("client.secret");  
            final String USER = config.getProperty("app.user");  
            final String[] SCOPES_SET = config.getProperty("app.scopes").split(",");  
  
            Authentication.initialize(APPLICATION_ID, CLIENT_SECRET, TENANT_ID);  
            final String accessToken = Authentication.getUserAccessToken(SCOPES_SET);  
            SimpleAuthProvider authProvider = new SimpleAuthProvider(accessToken);  
  
            IGraphServiceClient graphClient = GraphServiceClient  
                .builder().authenticationProvider(authProvider).buildClient();  
  
            Event event = new Event();  
            event.subject = "Evento de pruebas";  
  
            String timeZone = "Pacific Standard Time";  
            DateTimeTimeZone date = new DateTimeTimeZone();  
            date.timeZone = timeZone;  
  
            date.dateTime = "2020-08-15T10:00:00";  
            date.dateTime = "2020-08-15T15:00:00";  
            event.start = date;  
            event.end = date;  
  
            graphClient.users(USER).events().buildRequest().post(event);  
  
        } catch (ClientException | IOException | URISyntaxException e) {  
            System.out.println("NO FUE POSIBLE LEER EL ARCHIVO DE CONFIGURACION");  
        }  

Authentication.java

 public static void initialize(String applicationId, String clientSecret, String tenantID) {  
        Authentication.applicationId = applicationId;  
        Authentication.clientSecret = clientSecret;  
        Authentication.tenantID = tenantID;  
        Authentication.authority = "https://login.microsoftonline.com/" + tenantID + "/oauth2/token";  
    }  
  
    public static String getUserAccessToken(String[] scopes) throws URISyntaxException {  
  
        Set<String> scopeSet = new HashSet(Arrays.asList(scopes));  
        ExecutorService pool = Executors.newFixedThreadPool(1);  
        ConfidentialClientApplication app;  

        try {     
            app = ConfidentialClientApplication  
                .builder(applicationId, ClientCredentialFactory.createFromSecret(clientSecret))  
                .authority(authority).build();  
        } catch (Exception e) {  
            return null;  
        }  
  
        IAuthenticationResult result = app.acquireToken(  
            ClientCredentialParameters.builder(scopeSet).build()  
        ).exceptionally(ex -> {  
            System.out.println("Unable to authenticate - " + ex.getMessage());  
            return null;  
        }).join();  
  
        pool.shutdown();  
        return result != null ? result.accessToken() : null;  
  
    }  

But I'm gettin this error

Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: NoPermissionsInAccessToken  
Error message: The token contains no permissions, or permissions can not be understood.  

POST https://graph.microsoft.com/v1.0/users/MY_EMAIL/events  
SdkVersion : graph-java/v1.6.0  
SdkVersion : graph-java/v1.6.0  
Authorization : Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI[...]  
{"subject":"Evento de pruebas","body":{"contentTyp[...]  

401 : Unauthorized  
[...]  

I can't get admin consent because i'm using a personal account
10592-132.png

This is the content of my token

10440-sin-nombreqw.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,136 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 23,771 Reputation points Microsoft Employee
    2020-06-23T23:22:22.987+00:00

    @LuisVeliz-9265 Yes, you need to provide Admin consent. In order to provide admin consent you need to use the Tenant admin account to login and provide consent from Azure portal. (See Screenshot below)

    10528-graph-api-permissions.png

    You can also validate if the required permissions are appearing in the access token using https://jwt.ms/. (see screenshot below)
    10536-access-token.png