unable to make api call to azure registered app with invoke-webrequest - remote server returned an error 401

HK G 511 Reputation points
2022-05-28T02:59:01.94+00:00

I have been using the following code to make Graph api call on Azure registered app. It was working for awhile but it stopped working all of a sudden couple days ago. The error was "The remote server returned an error: (401) Unauthorized". I don't think there was any change and the script is pretty simple. I used the same parameters on Postman and it works fine for me. So I am not sure what is happening and are hoping someone can help with this. Thank you.

obtain access token

$TenantId = "my-tenant-id"
$ClientId = "my-client-id"
$ClientSecret = "my-client-secret"
$RequestAccessTokenUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"

$Body = @{
client_id = $ClientId
scope = 'https://graph.microsoft.com/.default'
client_secret = $ClientSecret
grant_type = 'client_credentials'
}

$Params = @{
Uri = $RequestAccessTokenUri
Method = 'Post'
Body = $Body
ContentType = 'application/x-www-form-urlencoded'
}

$response = Invoke-WebRequest @params -UseBasicParsing | convertfrom-json

api call

$Headers = @{"Authorization" = "$($response.token_type) "+ "$($response.access_token)"}
$uri = "https://graph.microsoft.com/v1.0/groups"
invoke-webrequest -header $headers -Uri $uri -Method get | convertfrom-json

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,482 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,329 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,301 Reputation points
    2022-05-30T07:06:27.837+00:00

    Hi @HK G • Thank you for reaching out.

    The HTTP 401 status code is returned if the required permissions are not included in the token. In order to successfully get the result of GET https://graph.microsoft.com/v1.0/groups call, one of the below permissions must be included in the Roles claim within the token:

    • GroupMember.Read.All
    • Group.Read.All
    • Directory.Read.All
    • Group.ReadWrite.All
    • Directory.ReadWrite.All

    However, when I used your code to obtain the access token, I didn't get the required permissions in the token.

    Cause:

    1. You are making a call to the V1 token endpoint and the resource parameter is not supplied in the body.
    2. You have specified the scope https://graph.microsoft.com/.default but making a call to the V1 endpoint.

    Resolution:

    • Use V2 token endpoint by setting $RequestAccessTokenUri to "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" (notice v2.0 in the url).

    OR

    • If you want to use the V1 endpoint, update the body with the resource parameter as mentioned below: $Body = @{
      client_id = $ClientId
      resource = 'https://graph.microsoft.com/'
      client_secret = $ClientSecret
      grant_type = 'client_credentials'
      }

    Hope this helps.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. sikender mohammad 0 Reputation points
    2023-06-03T21:16:16.42+00:00

    Still the same issue. Any workarounds?