Microsoft图形和Azure广告用户身份验证

Question

I have an application registered in Azure ad.

When i do ADAL with the following details i get a authoriazation token to use with microsoft graph api.

    `username      = 'admin@domain.com'
    password      = 'password123'
    client_id     = application id from azure ad
    client_secret = keys from application on azure ad
    tenant        = directory id from azure ad`

Using this token i can fetch the list of all sites in my sharepoint account.

Below is the endpoint i call to fetch the sites with the bearer token: https://graph.microsoft.com/v1.0/sites?search=*

But when I just do the client authentication using token generated using below endpoint Iam not able to access the sites list. login.microsoftonline.com/tenant_id/oauth2/v2.0/token

    `grant_type : client_credentials
    clientid : client_id
    clientsecrte : client_secret
    scope : https://graph.microsoft.com`

It does not return all of the sites.

Is there a way of getting all sites list with just client authentication.

Or can i get a token for user authentication without user password.

Here is the token decoded that i am using: { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/", "iat": 1528949458, "nbf": 1528949458, "exp": 1528953358, "aio": "Y2dgYLh*************xAAA=", "app_displayname": "App Name", "appid": "504ddb16-2899-48be-be57-**********", "appidacr": "1", "idp": "https://sts.windows.net/586145ec-0428-4da6-8061-fb114257ab70/", "oid": "afcf166f-24c2-49f1-b285-b672d0413c50", "roles": [ "Sites.Read.All", "Sites.ReadWrite.All", "Sites.Manage.All", "Sites.FullControl.All", ], "sub": "afcf166f-24c2-49f1-b285-b672d0413c50", "tid": "586145ec-0428-4da6-8061-fb114257ab70", "uti": "hwYd8FZCH0KruWGRFiIHAA", "ver": "1.0" }

I get other permissions also but these are site related in Microsoft Graph api

Answer 1

Cause:

The successful one is using ROPC flow and it can get delegated permissions onbehlaf of the user. But the failed one is using client_credentials flow which get application permissions and cannot onbehlf of the user.

---

Updated Answer

Solution:(Before you do this test, ensure you have SPO license in your tenant)

1. Try to add Sites.Read.All Application permission in your registrated AAD Application and do admin consent for it before you getting token.

2. If you're using AAD v1 endpoint, you can do admin consent by clicking Grant permissions button .If you're using v2 endpoint, please input this kind of URL in your internet browser to do admin grant:

   https://login.microsoftonline.com/{yourtenant}/adminconsent?client_id={the applicationid of your client}&state=123&redirect_uri={the redirect uri of your app}

and sign in with Global admin account and accept this permission.

3. In my test lab, I used v2 endpoint.Here is the token I got via Postman:

Here is decoded token in https://jwt.ms , we can decoded the token to ensure it has the permissions we want.

4. Then I use this token in the head to call Microsoft Graph API and succeeded:

For more detials about Site permission for Microsoft Graph, please refer to this documentation .

Please let me know if this helps!