Microsoft Graph API for Personal Accounts

Question

Microsoft Graph API for Personal Accounts

lemur 21

Hi,

for my registered app I have selected Personal Accounts as I only want to use /me subpaths.
When I'm using the InteractiveBrowserCredential from azure.identity Python package, to authenticate and try to log in with my account I get the error You can't sign in here with a personal account. Use your work or school account instead. Now, I'd like to use that app for my personal account, so this obviously won't work if I need to use work or school one.

I tried changing the accounts scope in the AppRegistrations but to no effect. What is a suggested way of configuring the app for such use cases?

Thank you

Zehui Yao_MSFT 5,876 Reputation points

2021-12-27T05:48:24.237+00:00

Hello @lemur , I need to discuss with my colleagues and get back to you later.

3 answers

Your answer

Zehui Yao_MSFT 5,876 Reputation points

2021-12-27T05:48:24.237+00:00

Hello @lemur , I need to discuss with my colleagues and get back to you later.

Answer 1

Zehui Yao_MSFT 5,876

Hi, @lemur , you can change the /{tenant id} as /common, when you want to sign in your personal Account. You can refer to this document: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

lemur 21 Reputation points

2021-12-28T19:39:17.647+00:00

Thanks, this seems to have helped with the authentication.

However, after I've authenticated I get an error: OneDrive for Business for this user account cannot be retrieved. if I try to do any basic operation say for the onenote endpoints.
In the MicrosoftGraph Explorer I'm able to perform all of those operations without problems -- should there be any difference? Do I need any additional permissions/subscriptions to be able to access my notes via MicrosoftGraph API?

Thanks
Zehui Yao_MSFT 5,876 Reputation points

2021-12-29T10:08:14.47+00:00

You mean you can use your personal account call onenote endpoints in the MicrosoftGraph Explorer but it fails when you use your account in code ?
lemur 21 Reputation points

2021-12-29T10:10:04.063+00:00

Yes, that is correct. When I use that endpoint in the code I get OneDrive for Business for this user account cannot be retrieved..

Of course when I reuse the Bearer Token from MicrosoftGraph Explorer then it works, so it's still authentication problem, I think.

Thanks
Zehui Yao_MSFT 5,876 Reputation points

2021-12-30T02:58:07.98+00:00

Can you decode your access token in JWT and share your screen shot?
lemur 21 Reputation points

2022-01-01T10:15:08.49+00:00

Yes, I redacted some info, please let me know if this is enough (the token is now expired)

The token comes from DeviceCode user auth flow, and \me endpoints works well.
As I mentioned, when I try to access \me\onenote\notebooks or any other subpath, I get that error:
OneDrive for Business for this user account cannot be retrieved.

Those methods work in MicrosoftGraph Explorer.
Zehui Yao_MSFT 5,876 Reputation points

2022-01-04T08:19:51.933+00:00

Hello, @lemur , as far I cannot reproduce your problem locally, so I need to discuss with my colleagues, and I will reply you immediately if there are any updates.
Zehui Yao_MSFT 5,876 Reputation points

2022-01-04T09:00:02.443+00:00

Can you provide the request id and timestamp? so that we can find the error log in the background.
Zehui Yao_MSFT 5,876 Reputation points

2022-01-07T10:12:40.557+00:00

Hello @lemur , do you have time to see the comment, please reply to me after seeing the comment so that your issue can be resolved as soon as possible.
lemur 21 Reputation points

2022-01-07T22:12:20.03+00:00
Hey @Zehui Yao_MSFT !
Thank you for reminding me, I got lost in the holiday season, I'm so sorry.

Here's the request id, full error message and code:
{'error': {'code': '30108', 'message': 'OneDrive for Business for this user account cannot be retrieved.', 'innerError': {'date': '2022-01-07T22:08:31', 'request-id': '485f8d0f-b402-4378-b512-e35beeb7faf7', 'client-request-id': '7ffcd082-8103-422a-b76e-a56c175340ce'}}}
This was generated by using the msgraph and azure identity Python SDK with the following code:

scopes = ['User.Read.All', 'Notes.Read.All'] credential = DeviceCodeCredential(client_id=CLIENT_ID, tenant_id=TENNANT_ID) client = GraphClient(credential=credential, scopes=scopes) result = client.get('/me/onenote/notebooks') print(result.json())

The web login has been successful, but then I always get this error.

Sorry for the delay again, and thank you for your willingness to help :)
Zehui Yao_MSFT 5,876 Reputation points

2022-01-11T09:59:32.867+00:00

Hi @lemur , I have received your message, but our engineers still need some time to do the test, please understand that I have not replied for a long time, if there is any update I will immediately inform you.Thank you for your support
Zehui Yao_MSFT 5,876 Reputation points

2022-01-17T10:14:07.583+00:00

Hi @lemur , since we are in the test, before the results come out, I would like to ask if you have tried to log in to Onedrive (using UI/Web), can you log in successfully?
lemur 21 Reputation points

2022-01-17T10:28:17.95+00:00

Hi @Zehui Yao_MSFT thanks!
Yes, I am able to log in successfuly with that account to UI/Web versions of OneDrive, OneNote and other services.
Zehui Yao_MSFT 5,876 Reputation points

2022-01-18T10:53:37.57+00:00

Hi @lemur , going through our backend logs, the issue may be related to the the fact that the logs provided show that the user is an AAD user and not personal account. If the AAD user does not have a OneDrive license assigned then this error will happen.You can try to add a license for your user in AD portal and see if it works.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
lemur 21 Reputation points

2022-01-18T11:49:09.967+00:00

This is weird -- I'm trying to log with my personal account -- the one, I'm using to log in to all the services.
I don't want to assign One Drive for business to the in the AD portal.

How can I properly set up a programmatic login with my personal account then? Is there a way to do this? This is personal use only.

Thanks
Zehui Yao_MSFT 5,876 Reputation points

2022-01-19T06:04:58.66+00:00

Hi @lemur , I just tried to access onenote using my personal account, then I found out that you have to log in with admin tenant when creating an azure app , and give Devcaht admin consent after adding permissions so that you can access onenote with your personal account.
lemur 21 Reputation points

2022-01-19T07:01:43.09+00:00

Hey @Zehui Yao_MSFT ,
I did have all the permissions already granted -- please see here:

I double checked, I still cannot login with my personal account. Perhaps I need some other permission? I'm trying to access: /me/onenote/notebooks endpoint, so I think Notes.ReadAll should've been sufficient to complete that operation successfully.

Thanks
Zehui Yao_MSFT 5,876 Reputation points

2022-01-19T08:47:58.913+00:00

Hi @lemur , can you share the error message，is it the same as before? At the same time, can it be determined that the account is a personal account and not a work account? There is a another way to check if the account is a personal account by accessing: \me endpoint, if the id format is like this, then it can confirm this account is a personal account.
lemur 21 Reputation points

2022-01-19T09:03:36.967+00:00
Hey yes, I'm pretty sure I'm using my personal account (I don't have a work account even) since I'm using the same email as I do for login to my personal OneDrive and OneNote.
The error while accessing /me/onenote/notebooks is still the same as before (OneDrive for Business for this user account cannot be retrieved.).

Here's the redacted output of /me endpoint -- as you said it looks like a personal account, right (name, surname is correct, but I redacted it here)?

{'@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users/$entity', 'businessPhones': [], 'displayName': '*****', 'givenName': '*****', 'jobTitle': None, 'mail': None, 'mobilePhone': None, 'officeLocation': None, 'preferredLanguage': None, 'surname': '*****', 'userPrincipalName': '*****_gmail.com#EXT#@*****gmail.onmicrosoft.com', 'id': '786a*****-*****-*****-*****-*****465f'}

I don't know why this @*****gmail.onmicrosoft.com bit is here, ending in .omnisoft? I logged with @gmail.com email, so I don't know why it returns this instead. Maybe that's a clue?
Zehui Yao_MSFT 5,876 Reputation points

2022-01-21T11:00:05.41+00:00

Hi @lemur , did you use this account to log in to the Ad portal and request authentication?
lemur 21 Reputation points

2022-01-22T11:47:55.467+00:00

Yes, I can see it even in the logs that I log in with an admin account for that app (which is also a personal account). It's the same account across all the services as well as the AD.

Answer 2

lemur 21

@Zehui Yao_MSFT
When I changed my code to this:

scopes = ['User.Read.All', 'Notes.Read.All']  
credential = DeviceCodeCredential(client_id=CLIENT_ID,  tenant_id="common")  
client = GraphClient(credential=credential, scopes=scopes)  
result = client.get('/me/onenote/notebooks')  
print(result.json())

It says I log in successfully (as before) and then when I try to access /me/onenote/notebooks I get the following error:
{'error': {'code': '40001', 'message': 'The request does not contain a valid authentication token. Detailed error information: {0}', 'innerError': {'date': '2022-01-26T20:38:38', 'request-id': '89e111d3-6c57-449a-b6cd-51fec8cd3214', 'client-request-id': '400d9b85-4b24-48b4-adee-9e1ef669c3be'}}}

Zehui Yao_MSFT 5,876 Reputation points

2022-02-16T15:23:03.097+00:00

Hi @lemur , very sorry to reply to you so late, it looks like there is something wrong with your access token, would you mind sharing your token?

Answer 3

@lemur i'm having the same problem, i'm using a personal account, and i'm trying to use the "me/messages" route, but locally i receive the error "ErrorAccessDenied - Access is denied. Check credentials and try again."
I checked the authorization roles, and i'm using "common" instead "TenantID", but nothing solved the problem...
I did what you said, about copy the token created by Graph Explorer and use this on my application, and it works fine, but not solves the real problem.
Did you find a way to solve this?

Share via

Microsoft Graph API for Personal Accounts

3 answers

Your answer