Android Graph SDK. Access is denied. Check credentials and try again

Question

Hello.

Set up Graph SDK for Android as per instructions.
Added SAML - user is authorized and token is present.

Code that calls API:
mClient.me().contacts().buildRequest().async
.thenAccept {
Log.d("TEST", "collection=$it")
}
.exceptionally {
Log.d("TEST", "error=${it.message}")
null
}

Logcat:
E/global: CoreHttpProvider[processResponse] - 493Graph service exception Error code: ErrorAccessDenied
E/global: CoreHttpProvider[processResponse] - 493Error message: Access is denied. Check credentials and try again.
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493GET https://graph.microsoft.com/v1.0/me/contacts
E/global: CoreHttpProvider[processResponse] - 493SdkVersion : graph-java/v5.15.0
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493403 : Forbidden
E/global: CoreHttpProvider[processResponse] - 493[...]
E/global: CoreHttpProvider[processResponse] - 493
E/global: CoreHttpProvider[processResponse] - 493[Some information was truncated for brevity, enable debug logging for more details]
E/global: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: ErrorAccessDenied
Error message: Access is denied. Check credentials and try again.

    GET https://graph.microsoft.com/v1.0/me/contacts  
    SdkVersion : graph-java/v5.15.0  


    403 : Forbidden  
    [...]  

    [Some information was truncated for brevity, enable debug logging for more details]  

Permissions for Application on Azure:

Thank you.

Answer 1

Hi @Alexander Svarnik ,

As you can see below, I am able to replicate the same issue in Graph Explorer Application. As documented in List contacts API , you would have to grant "Contacts.Read" or "Contacts.ReadWrite" micosoft graph permissions to get a contact collection from the default contacts folder of the signed-in user.

Error Replication from Graph Explorer Application without Contacts.Read" or "Contacts.ReadWrite" micosoft graph permissions granted:
Example:

Succesful response in Graph Explorer Application after granting Contacts.Read" micosoft graph permissions :
Example:

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 2

Hi @Alexander Svarnik ,

Sorry for the delayed response.

You would need to configure the microsoft graph permissions for the application using which the authentication is being done and the access token is generated. Below are the steps to be followed to grant Microsoft graph permissions for the registered app in Azure AD.



If you are using application permissions scope in your application then you would have choose "Application Permissons" section

If you are using delegated permissions scope in your application then you would have choose "Deleted Permissons" section instead of "Application Permissions"

As shown in the above screenshot, Admin must grant admin consent for "Contacts.Read" or "Contacts.ReadWrite" application or delegated permissions.

Additional Documentation on App Registration & Authentication and authorization basics for Microsoft Graph :
https://learn.microsoft.com/en-us/graph/auth/auth-concepts
https://learn.microsoft.com/en-us/graph/auth-register-app-v2
https://learn.microsoft.com/en-us/graph/auth-v2-user
https://learn.microsoft.com/en-us/graph/auth-v2-service

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 3

Hi @JanardhanaVedham-MSFT

Thank you for response.

I ran Graph Explorer and see the same error. Based on your response I need to add permissions for Contacts.

Just want to describe how our android app is added:

1. On production corporate tenant A - application was created and registered as we are owner and creator of this app. There is generated Application_ID.
2. On Test tenant B - I have full admin access to Azure and want to make user from tenant B use our app with Contacts access.

Regarding your screenshot ListContacts I can't find a place where to allow Contacts.Read and Contacts.ReadWrite.
I added these permissions at:

This didn't help. Graph explorer still returns the same error.

According to this please help with these questions:

1. Where should I allow Contacts.Read and Contacts.ReadWrite
2. I I should allow this for our application - on what tennant? On Tenant A that is creator of app? Or Tenant B that is using app? On tenant B I couldn't find buttons that will add these permissions. On my original question post I added screenshots from Tenant B and permissions list.

Thank you a lot for helping.

Regards,
Alex.

Answer 4

Hi @JanardhanaVedham-MSFT

Please answer me, I couldn't find that section to enable permissions.

Regards,
Alex.

Answer 5

Hi @JanardhanaVedham-MSFT

Thank you a lot for help. Now android app can use Graph API for these purposes.