Share via

Can an app use User.ReadBasic.All scope to retrieve any user information given OID?

Akash Sharma 96 Reputation points
2021-11-04T14:21:25.76+00:00

I am trying to write an app that retrieves any user info. allowed given an OID. I started with Example 1 here:

https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

In the process of recreating this request I've been stuck on getting an appropriate token. I want the scope to be User.ReadBasic.All because that appears the scope that will allow retrieval of some info. without Admin consent. In the above link I see that the User.ReadBasic.All scope is available for Delegated (work or school account).

Q. 1.:
I think I have a work account. Can someone tell me if that is not the case based on this screenshot?
146537-image.png

I registered an app with User.ReadBasic.All permission as shown below:
146469-image.png

Not sure what the first link meant by leaving off User.ReadBasic.All from Application, but I see here I can add that permission to my app. So not sure if I'm misunderstanding something.

I copied the scope URL https://graph.microsoft.com/User.ReadBasic.All as per here:
146499-image.png

Next I retrieved a token using this link:
https://learn.microsoft.com/en-us/graph/auth-v2-service

I tried to use &scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All but that returned no token. I see that I can ONLY use &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default to get a token.

When I use this token to hit the v1.0/users endpoint from the first link the response contains code Authorization_RequestDenied and message Insufficient privileges to complete the operation.

I did try going through the "Get Authorization" step here and got through the Consent dialog and then try the above again, but same result:
https://learn.microsoft.com/en-us/graph/auth-v2-user

I followed the suggestion from CarlZhao-MSFT here:
https://learn.microsoft.com/en-us/answers/questions/577832/unable-to-list-users-from-graph-authorization-requ.html

I parsed my token and I see that there is no scp item:
146540-image.png

Hence I asked Q. 1 above.

Q. 2:
Is there another reason there is no "scp": "User.ReadBasic.All" item in my parsed JWT?

Q. 3:
My goal is to have an app retrieve ANY info. at all given an OID without Admin consent. Is that possible? If so what should I do differently?

Microsoft Security Microsoft Graph
Accepted answer
  1. Akash Sharma 96 Reputation points
    2021-11-08T17:35:00.993+00:00

    Thanks for the help everyone! It seems the right approach is for my App to use actual App permissions and get Admin consent. Unfortunately the person who was our Azure admin left the company a few weeks back so that has left us in the mode of picking up where that individual left off.

    As you may have guessed we don't use Azure much. Right now we only have one task for which we need a registered App: to retrieve the name or email addr. of the person on an MS Teams channel who acknowledged a message sent to the channel. So far we have been able to retrieve the OID of the person. In the process of trying to figure out how to replace the OID with an actual name or email address, I came across some of the things I tried above.

    Anyway, I think you have all provided me enough info. to be able to proceed and solve this. You can close this issue.

    Thanks!
    Akash

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2021-11-04T16:53:26.277+00:00

    The permissions you've added are Delegate ones, meaning you app needs to run in the context of a user. However, the token you have obtained in for an application context, thus having the permissions not reflected in the token is expected. Use the auth code flow or any other flow that allows you to obtain a token in the context of a user.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.