Getting Exception when trying to get User Authentication EMailMethods

Question

Getting Exception when trying to get User Authentication EMailMethods

JS Arya 46

I am trying to update User EmailAuthenticationMethod in AD. While calling the Get method, It gives exception. I have highlighted the line on which it is throwing exception. If I deploy and run it for the first time, it runs. After that is starts to throw this exception

Exception I am getting :

022-09-02 09:23:28.678 +00:00 [Information] Call Entry: ## LOG IN EXCEPTION {"error":{"code":"accessDenied","message":"Request Authorization failed","target":null,"details":null,"innerError":{"code":null,"message":"Request Authorization failed","target":null,"details":null,"innerError":null,"throwSite":null,"clientRequestId":null,"additionalData":{"date":{"valueKind":3},"request-id":{"valueKind":3},"client-request-id":{"valueKind":3}},"throwSite":null,"clientRequestId":"a5481f0c-0695-4b06-bbee-a58f668878e8","additionalData":null},"responseHeaders":[{"key":"Transfer-Encoding","value":["chunked"]},{"key":"Vary","value":["Accept-Encoding"]},{"key":"Strict-Transport-Security","value":["max-age=31536000"]},{"key":"request-id","value":["a5481f0c-0695-4b06-bbee-a58f668878e8"]},{"key":"client-request-id","value":["a5481f0c-0695-4b06-bbee-a58f668878e8"]},{"key":"x-ms-ags-diagnostic","value":["{\"ServerInfo\":{\"DataCenter\":\"East US\",\"Slice\":\"E\",\"Ring\":\"5\",\"ScaleUnit\":\"001\",\"RoleInstance\":\"MN1PEPF00002F1E\"}}"]},{"key":"Date","value":["Fri, 02 Sep 2022 09:23:28 GMT"]}],"statusCode":403,"rawResponseBody":"{\"error\":{\"code\":\"accessDenied\",\"message\":\"Request Authorization failed\",\"innerError\":{\"message\":\"Request Authorization failed\",\"date\":\"2022-09-02T09:23:28\",\"request-id\":\"a5481f0c-0695-4b06-bbee-a58f668878e8\",\"client-request-id\":\"a5481f0c-0695-4b06-bbee-a58f668878e8\"}}","stackTrace":" at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\n at Microsoft.Graph.AuthenticationEmailMethodsCollectionRequest.GetAsync(CancellationToken cancellationToken)\n at Auth.Services.AzureADB2CGraphService.UpdateEmailAuthenticationMethod(Guid tenantId, UserEmailAuthenticationPostRequest postRequest, ILoggerService loggerService, IConfiguration _configuration) in /src/AuthService/Services/AzureADB2CGraphService.cs:line 762","message":"Code: accessDenied\nMessage: Request Authorization failed\nInner error:\n\tMessage: Request Authorization failed\nAdditionalData:\n\tdate: 2022-09-02T09:23:28\n\trequest-id: a5481f0c-0695-4b06-bbee-a58f668878e8\n\tclient-request-id: a5481f0c-0695-4b06-bbee-a58f668878e8\nClientRequestId: a5481f0c-0695-4b06-bbee-a58f668878e8\n","data":{},"innerException":null,"helpLink":null,"source":"Microsoft.Graph.Core","hResult":-2146233088}

try  
            {                 
               var scopes = new[] { "Directory.AccessAsUser.All", "UserAuthenticationMethod.ReadWrite.All" };  

               B2cCredentials b2cCredentials = BlobHelper.GetB2CCredentialsFromBlob(_configuration, tenantId);  

               var userName = $"%$$%$%$";  
               var password = "$%$%$$";  

               var options = new TokenCredentialOptions  
               {  
                   AuthorityHost = AzureAuthorityHosts.AzurePublicCloud                     
               };  

               var userNamePasswordCredential = new UsernamePasswordCredential(  
                                                       userName,  
                                                       password,  
                                                       b2cCredentials.B2cTenantId.ToString(),  
                                                       b2cCredentials.ClientId.ToString(),  
                                                       options);  


                var _graphClient = new GraphServiceClient(userNamePasswordCredential, scopes);  


               if (_graphClient != null)  
               {                
                    **var m = await _graphClient.Users[postRequest.UserId.ToString()]  
                    .Authentication.EmailMethods.Request().GetAsync();**  

                    if(m.Count > 0)  
                    {  
                        await _graphClient.Users[postRequest.UserId.ToString()]  
                        .Authentication.EmailMethods["0"]  
                        .Request()  
                        .PutAsync(new Microsoft.Graph.EmailAuthenticationMethod  
                        {  
                            EmailAddress = postRequest.Email  
                        });  
                    }  
                    else  
                    {  
                        await  _graphClient.Users[postRequest.UserId.ToString()]  
                        .Authentication.EmailMethods  
                        .Request()  
                        .AddAsync(new Microsoft.Graph.EmailAuthenticationMethod  
                        {  
                            EmailAddress = postRequest.Email  
                        });  
                    }  

               }                                  
            }      
            catch(Exception ex)  
            {           
               return ex.Message;  
            }

Answer 1

Zehui Yao_MSFT 3,801 Microsoft Vendor

Hi @JS Arya , According to the documentation, in addition to the corresponding permissions, this endpoint also requires your user to be a specific role, you can try to set the role for the user in AD.portal and retry this endpoint. Hope can help you, I wish you all the best.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

JS Arya 46 Reputation points

2022-09-05T09:06:59.95+00:00

We have created one special user to do this stuff. That user has been given Global Administrator role. Only missing thing was Application. We gave serAuthenticationMethod.ReadWrite.All to the application and tried again. We are still getting same error.

2022-09-05 08:54:55.189 +00:00 [Information] Call Entry: ## LOG IN EXCEPTION {"error":{"code":"accessDenied","message":"Request Authorization failed","target":null,"details":null,"innerError":{"code":null,"message":"Request Authorization failed","target":null,"details":null,"innerError":null,"throwSite":null,"clientRequestId":null,"additionalData":{"date":{"valueKind":3},"request-id":{"valueKind":3},"client-request-id":{"valueKind":3}},"throwSite":null,"clientRequestId":"3b6fe467-3b57-43fc-b736-b0004933a439","additionalData":null},......
Zehui Yao_MSFT 3,801 Reputation points Microsoft Vendor

2022-09-07T08:00:03.833+00:00

This is really strange, do you mind checking to see if admin consent have been granted in AD?
JS Arya 46 Reputation points

2022-09-09T04:34:10.617+00:00

Yes. Admin Consent is given. Still it is giving issues.
Zehui Yao_MSFT 3,801 Reputation points Microsoft Vendor

2022-09-20T03:02:22.09+00:00

Hi @JS Arya , We've been working on this issue to this day, through your code, I learned that the authentication method you use is OAuth 2.0 Resource Owner Password Credential. May I ask is the user of the app you're signing in to is an administrator-specific?
JS Arya 46 Reputation points

2022-09-24T07:51:39.83+00:00

I didn't get what you were trying to say. The user and password given in the code is a user we created and assigned Global Admin and other roles mentioned in the screenshot.

Getting Exception when trying to get User Authentication EMailMethods

1 answer

Activity