Microsoft Graph API为MSA用户返回UnknownError

Question

We are using Microsoft V2.0 OpendID protocol as an SSO approach to make MSA and AAD users login into our application.

Following are the scopes that we are using in authorization URL

openid profile email user.read

After user gave consent, with the access token that we got from token API ( /oauth2/v2.0/token -- scope = user.read ), we are making Microsoft Graph call to https://graph.microsoft.com/v1.0/me in order to get email and other user info.

Until 3/12/2018 the above call was working as expected. But starting from 3/13/2018 we are seeing weird behavior from the API.

For the MSA users who are newly coming to our application to sign in, https://graph.microsoft.com/v1.0/me is throwing following errors.

Error 1:

{
    "error": {
        "code": "RetryWithPuid",
        "message": "Please retry With PUID in either token or URL",
        "innerError": {
            "request-id": "18386e9b-c30e-459d-b816-f67f4a843874",
            "date": "2018-03-14T10:42:11"
        }
    }
}

Error 2:

{
    "error": {
        "code": "UnknownError",
        "message": "{\r\n  \"ErrorCode\": \"ErrorUserResolutionFailedAfterMailboxSuccessfullyProvisioned\",\r\n  \"Message\": \"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileNotFoundException' was thrown.\",\r\n  \"Target\": null,\r\n  \"Details\": null,\r\n  \"InnerError\": null,\r\n  \"InstanceAnnotations\": []\r\n}",
        "innerError": {
            "request-id": "23c18edc-d451-4056-ab7c-0c23fb7b77f5",
            "date": "2018-03-14T08:03:11"
        }
    }
}

The above errors are unstable. We are not seeing the above issue for the users who already signed into our application (before 3/12).

I could not able to find any info regarding above errors.

Answer 1

I'm facing the same issue right now, we were not receiving this error before. I found a way to make it work while doing some tests, but didn't find a proper solution yet.

The steps are :

• Go to https://developer.microsoft.com/en-us/graph/graph-explorer
• Sign in with the user, then under Getting Started, run the my profile query
• Go back to your app and try to sign in, the error is gone

Answer 2

Quick fix: Login in Microsoft graph-explorer with the account you the face problem. Microsoft will ask for some permission and after allowing it.There is no error Please retry With PUID

No proper way to fix this. The Azure team should fix this issue asap

Answer 3

Tested that too and I can confirm it is perfectly reproducible. Steps are:

• create a new MS account (@outlook.com, for example)
• create a test app using new application developer portal. Give that app some basic Graph permissions
• use Azure AD OAuth2 v2.0 endpoint in the simplest form of implicit OAuth2 grant ( https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-implicit ) to get the access token
• try calling https://graph.microsoft.com/v1.0/me with that token