Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,467 questions
Perhaps your expectations are wrong, using the authorize endpoint will require you to enter credentials as detailed in the documentation, before returning an auth code or token: https://learn.microsoft.com/en-us/graph/auth-v2-user#2-get-authorization
As noted in the article, if using SSO you might be able to get the token directly, but that will not always work.
If you want to complete the flow by providing credentials directly, use the ROPC flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Or client credentials: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token
Well you need to have an application registered, and sufficient permissions consented to in order to run the list users call. It's all covered in the article above.
The application registration and permissions are set from the backend?
I don't have the sign-in credentials as I am a developer but I have provided the client id, client secret, tenant id, and object id.
So from my perspective, I just need to call those two APIs only. Get the access token and then get the users list.
If there is anything extra that should be configured from the backend and I need to ask the provider to do that. Right?
You can configure the permissions on the application itself, but when you add it to a tenant, including your own, and admin needs to consent to the permissions. Read here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types
I read the documentation and I need application permission instead of delegation permission. But where can I set it? As you said that I can configure the permissions on the application itself but I don't have the credentials to sign in.
I am able now to get the access token but now I am getting an error when trying to request for users list.
Is it because of the permissions at the application level? If yes then can you please guide me where I need to configure it?
Most likely, yes. You need to add the permissions on your Azure AD app registration, and the admin needs to consent to them in the organization against which you will be running this query. If you have the necessary permissions, go to the Azure AD blade > App registrations > click your app > API Permissions > Add a permission > Microsoft Graph > Application permissions > User.Read.All > click the Add permission button to confirm.
Once the permissions are added, click the Grant admin consent button if you are going to run this against your own tenant (again, you need admin permissions for this part).
Is it possible to ask for the permissions through the API? and then the admin will grant it?
I have asked for the permissions but they told me that you need to ask for it through the API and then we will grant the permissions?
If possible then which end point I should call to ask for the permissions?
There is already permission added. Please see
But still, I am seeing that error Authorization_RequestDenied
Is it because the permission type is delegated and not application permission?
If you are using the client credentials flow, you need Application permissions. Read the article I linked to above, it explains how to add the permissions and how to trigger admin consent.
Sign in to comment
0 additional answers
Sort by: Most helpful
Sign in to answer