Here is my postman screenshot. In response, I am getting a sign-in form. I saved the response in HTML file and it opens like this. My requirements are simple. I need to call https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize to get the code that is necessary for getting the token. Then I want to call {tenant}/oauth2/v2.0/token to get the access token Then I want to call /oidc/userinfo to get the users of AD. Is anything I am doing wrong?

Perhaps your expectations are wrong, using the authorize endpoint will require you to enter credentials as detailed in the documentation, before returning an auth code or token: https://learn.microsoft.com/en-us/graph/auth-v2-user#2-get-authorization As noted in the article, if using SSO you might be able to get the token directly, but that will not always work. If you want to complete the flow by providing credentials directly, use the ROPC flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc Or client credentials: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

I am unable to get access token from the microsoft active directory graph api.

Accepted answer

Vasil Michev 100.2K Reputation points MVP

2021-07-06T13:26:22.397+00:00

Perhaps your expectations are wrong, using the authorize endpoint will require you to enter credentials as detailed in the documentation, before returning an auth code or token: https://learn.microsoft.com/en-us/graph/auth-v2-user#2-get-authorization
As noted in the article, if using SSO you might be able to get the token directly, but that will not always work.
If you want to complete the flow by providing credentials directly, use the ROPC flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Or client credentials: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
Please sign in to rate this answer.
ahmad nawaz 21 Reputation points

2021-07-06T13:40:35.517+00:00

Ok, So I have the client id and client secret.

So I just need to get the access token directly https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token

and then using that token gets the users info. https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http

I don't need to do anything extra?

My main goal is to get the users list.

Vasil Michev 100.2K Reputation points MVP

2021-07-06T13:48:17.217+00:00

Well you need to have an application registered, and sufficient permissions consented to in order to run the list users call. It's all covered in the article above.

ahmad nawaz 21 Reputation points

2021-07-06T13:56:51.6+00:00

The application registration and permissions are set from the backend?

I don't have the sign-in credentials as I am a developer but I have provided the client id, client secret, tenant id, and object id.

So from my perspective, I just need to call those two APIs only. Get the access token and then get the users list.

If there is anything extra that should be configured from the backend and I need to ask the provider to do that. Right?

Vasil Michev 100.2K Reputation points MVP

2021-07-06T14:37:33.543+00:00

You can configure the permissions on the application itself, but when you add it to a tenant, including your own, and admin needs to consent to the permissions. Read here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types

ahmad nawaz 21 Reputation points

2021-07-07T05:05:21.29+00:00

I read the documentation and I need application permission instead of delegation permission. But where can I set it? As you said that I can configure the permissions on the application itself but I don't have the credentials to sign in.

ahmad nawaz 21 Reputation points

2021-07-07T05:27:25.05+00:00

I am able now to get the access token but now I am getting an error when trying to request for users list.

Is it because of the permissions at the application level? If yes then can you please guide me where I need to configure it?

Vasil Michev 100.2K Reputation points MVP

2021-07-07T05:53:01.567+00:00

Most likely, yes. You need to add the permissions on your Azure AD app registration, and the admin needs to consent to them in the organization against which you will be running this query. If you have the necessary permissions, go to the Azure AD blade > App registrations > click your app > API Permissions > Add a permission > Microsoft Graph > Application permissions > User.Read.All > click the Add permission button to confirm.
Once the permissions are added, click the Grant admin consent button if you are going to run this against your own tenant (again, you need admin permissions for this part).

ahmad nawaz 21 Reputation points

2021-07-07T06:19:22.7+00:00

Is it possible to ask for the permissions through the API? and then the admin will grant it?

I have asked for the permissions but they told me that you need to ask for it through the API and then we will grant the permissions?

If possible then which end point I should call to ask for the permissions?

ahmad nawaz 21 Reputation points

2021-07-07T10:03:06.797+00:00

There is already permission added. Please see

But still, I am seeing that error Authorization_RequestDenied

Is it because the permission type is delegated and not application permission?

Vasil Michev 100.2K Reputation points MVP

2021-07-07T12:38:10.177+00:00

If you are using the client credentials flow, you need Application permissions. Read the article I linked to above, it explains how to add the permissions and how to trigger admin consent.
Sign in to comment

Share via

I am unable to get access token from the microsoft active directory graph api.

0 additional answers