"Unauthorized" when accessing "https://graph.microsoft.com/v1.0/compliance/ediscovery/cases"

Question

Hi,

I have registered an API on Azure AD on a Global Admin account. I have the App ID, Tenant ID, and Client Secret.

I have written a function that gets makes an Azure API call in Python and a function that gets a token for me.

    def makeAzureAPICall(self, apiURL: str, resourceAppIdUri: str) -> dict: domain = self.domains.split(", ")[0]currentInfo = self.clientAPI(domain)token = self.getAzureToken(currentInfo['directoryTenantID'], currentInfo['applicationClientID'], currentInfo['clientSecretValue'], resourceAppIdUri)headers = {'Content-Type': 'application/json', 'Accept': 'application/json', 'Authorization': "Bearer %s" % token} return loads(PoolManager().request("GET", url=apiURL, headers=headers).data)

    def getAzureToken(self, directoryTenantID: str, applicationClientID: str, clientSecretValue: str, resourceAppIdUri: str) -> str: url = "https://login.windows.net/%s/oauth2/token" % (directoryTenantID)body = {'resource' : resourceAppIdUri, 'client_id' : applicationClientID, 'client_secret' : clientSecretValue, 'grant_type' : 'client_credentials'}data = PoolManager().request_encode_body("GET", url, body).data return loads(data)["access_token"]

It works for the following:

Permission Required:    Microsoft Graph: User.Read.All Resource API URL:       https://graph.microsoft.com/v1.0/usersSecurity Auth URL:      https://graph.microsoft.com--------------------------------------------------------------------------Permission Required:    Microsoft Graph: User.Read.AllResource API URL:       https://graph.microsoft.com/v1.0/users/{userID[0]}/licenseDetailsSecurity Auth URL:      https://graph.microsoft.com--------------------------------------------------------------------------Permission Required:    WindowsDefenderATP: Machine.Read.AllResource API URL:       https://api.security.microsoft.com/api/machinesSecurity Auth URL:      https://api.securitycenter.microsoft.com--------------------------------------------------------------------------Permission Required:    WindowsDefenderATP: Machine.Read.AllResource API URL:       https://api.security.microsoft.com/api/deviceavinfoSecurity Auth URL:      https://api.securitycenter.microsoft.com--------------------------------------------------------------------------Permission Required:    Microsoft Graph: DeviceManagementManagedDevices.Read.AllResource API URL:       https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/",Security Auth URL:      https://graph.microsoft.com

I have given the permissions above to the API, and I have given Application eDiscovery.Read.All permissions.

Calling the above functions works for everything except "https://graph.microsoft.com/v1.0/compliance/ediscovery/cases".

I have tried this:

    def getPublicAccessToken(self, directoryTenantID: str, applicationClientID: str, scope: str): app = PublicClientApplication(client_id = applicationClientID,authority = "https://login.microsoftonline.com/" + directoryTenantID)token = app.acquire_token_interactive(scopes=[scope]) return token["access_token"]

Which prompts for a browser and I sign in. The scope entered is: "https://graph.microsoft.com/eDiscovery.Read.All".

This works, but I need it done silently.

I have tried this:

    def getConfidentialAccessToken(self, directoryTenantID: str, applicationClientID: str, clientSecretValue: str, scope: str): app = ConfidentialClientApplication(client_id = applicationClientID,authority = "https://login.microsoftonline.com/" + directoryTenantID,client_credential = clientSecretValue)token = app.acquire_token_for_client(scopes=[scope])token = getTestAzureToken(directoryTenantID, applicationClientID, clientSecretValue, scope) return token["access_token"]

Which does not prompt for a browser. The scope entered is: https://graph.microsoft.com/.default.

This does not work, it still gives:

{'error': {'code': 'Unauthorized', 'message': 'Unauthorized.', 'innerError': {'date': '2022-10-24T04:08:45', 'request-id': 'Hidden', 'client-request-id': 'Hidden'}}}

I have also done it on Graph Explorer and it works. I have copied the Token from Graph Explorer and used the MakeAzureAPICall function with it, and it works.

I have NO CLUE what the issue is but I am completely unable to silently access "https://graph.microsoft.com/v1.0/compliance/ediscovery/cases". Despite having Global Admin permissions and a 100% correctly configured Registered API.

I have followed all of the documentation.

I have also tried the function "aquire_token_on_behalf_of" but there is no "user_assertion" available and there is nothing on the internet explaining how to use it, I am not kidding, there is ZERO documentation explaining it and how to access it.

Some help would be very much appreciated.

Answer 1

Dear Phillip_825,

Good day.

Thanks for posting in Microsoft Community.

Regarding your query on Microsoft Graph API.  Please understand that this query is outside of our support boundaries.  

For you to be assisted properly, please reach out to Microsoft Q&A by visiting this website microsoft-graph-applications - Microsoft Q&A; I am sure that our experts from that team can address your query effectively and accurately.

Thank you for your cooperation and understanding.  Please do not hesitate to post your queries in Microsoft Community and we will always do our best to assist you!

Sincerely,

Simbarashe | Microsoft Community Moderator