为什么我在 Microsoft Graph API 调用中收到“401 Unauthorized”？

Question

I created the app in Tenant A and added it to Tenant B. I have granted the permissions in both tenants. Why am I getting this response every time I make an API call to the app?

resulted in a `401 Unauthorized` response: {"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be un (truncated...)

Here is the PHP request that I'm making (I am using the client id and client secret from the app in Tenant A):

<?php

use League\OAuth2\Client\Provider\Exception\IdentityProviderException;

use Microsoft\Graph\Graph;

$guzzle = new \GuzzleHttp\Client();

$tenantId = 'common';
$clientId = 'ccc-ddd-fff';
$clientSecret = 'xxx-yyy-zzz';

$url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/token?api-version=1.0';

try {
    $token = json_decode($guzzle->post($url, [
        'form_params' => [
            'client_id' => $clientId,
            'client_secret' => $clientSecret,
            'resource' => 'https://graph.microsoft.com/',
            'grant_type' => 'client_credentials',
        ],
    ])->getBody()->getContents());

    $accessToken = $token->access_token;

} catch (\Exception $e) {
    print $e->getMessage();
}

$graph = new Graph();
$graph->setAccessToken($accessToken);

try {
    print_r($graph->createRequest("GET", '/users/email@email.com/messages/xxxxxxxxxxxxx==')->execute());
} catch (\Exception $e) {
    print $e->getMessage();
}

Both tenants have these permissions granted: Permissions in Tenant A and B

Answer 1

Firstly, according to the api document , you'd better to add Mail.ReadBasic.All application permission, but I'm not sure if it influenced your calling here.

Your issue mainly came from that you used $tenantId = 'common'; , you should set it as the tenant name (such as xxx.onmicrosoft.com) you'd like to calling the api for. I mean that if you wanna call /users/xxx@tenantA.com/messages , you should put tenantA's tenant id/name to the $tenantId variable, but when you wanna call /users/yyy@tenantB.com/messages , you should set tenantB's.

Screenshot below showed the scenario when I used a token generated by common but not my tenant name.

Answer 2

401 Unauthorized error: Is your token valid?

Make sure that your application is presenting a valid access token to Microsoft Graph as part of the request. This error often means that the access token may be missing in the HTTP authenticate request header or that the token is invalid or has expired. We strongly recommend that you use the Microsoft Authentication Library (MSAL) for access token acquisition. Additionally, this error may occur, if you try to use a delegated access token granted to a personal Microsoft account, to access an API that only supports work or school accounts (organizational accounts).

You can always leverage jwt.ms to check claims on your token. Use this and check if you have the necessary permissions to call an API endpoint.

Answer 3

What I needed to do was prompt the Microsoft admin to grant permissions using a link similar to this one. Merely adding the enterprise from the Microsoft

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=offline_access+openid+profile+User.Read+Mail.ReadWrite+Mail.Send
&response_type=code
&client_id=a62b0808-2b1f-4efc-a3d6-ad1223dc06a9
&redirect_uri=https://myurl/blah.html
&response_mode=query