Azure 企业应用程序安全组中带有客户端凭据身份验证流程的 Graph API 请求的“未找到用户”

Question

Design

Goal

Get calendar events for a given user.

Requirements

1. Application should have access to the MS Graph API.
2. Application should act like a daemon/background process and not depend on user's login.
3. Application should have access to the minimal number of users' data in the Azure Active Directory (AAD).
4. Application should be able to fetch user's calendar events and create them.

Implementation / Setup

• to fulfill (1) Azure (Enterprise) App was created as described here .
• to enable (2) client credentials flow was used with the setup of application permissions
• to meet (3) a security group - as described here - was created with a limited number of users with the related policy that included related permissions (see here ). The group was later connected to the app following this instruction.
• to implement (4) the Calendar.Read and Calendar.ReadWrite as required by the actions here and here were added to the policy mentioned in the previous setup step.

Testing

Two HTTP requests were used: one to get the token and another to read events.

1. token request from the Identity Platform

curl --location --request POST 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token' \
--data-raw 'client_id=<APPLICATION_TOKEN>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=<APPLICATION_SECRET>&grant_type=client_credentials'

Upon inspection of the token here I see that it contains required permissions:

  "roles": [
    "Calendars.Read",
    "Calendars.ReadWrite"
  ]

2. fetch request of the calendar events from Graph API

curl --location --request GET 'https://graph.microsoft.com/v1.0/users/<USER_ID>/calendar/events' \
--header 'Authorization: Bearer <TOKEN>'

results in the following error:

{
  "error": {
    "code": "ResourceNotFound",
    "message": "User not found",
    "innerError": {
      "date": "2022-02-08T08:25:39",
      "request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b",
      "client-request-id": "bfaca1f9-e79b-491c-8d75-5a62317e299b"
    }
  }
}

The user id is from my account that I found in the Azure Active Directory details of the Azure Tenant. I double-checked that after adding other users.

Before-asking investigation

This issue looks closest to my case as it uses the client credentials auth flow. But it uses global permissions for all users in the AAD, while we use more fine-grained approach with a security group . It also shows a different error "Resource could not be discovered." versus "User not found" in my case.

Answer 1

In order to call /{user-id}/calendar/events to work the user must have mailbox on Exchange Online if you are using client credentials for Daemon applications.

Also, It seems assigning license to a guest account (Personal account in this case) is not possible and hence the user account never gets access to the calendar service (part of o365 exchange online) due to which it cannot retrieve the calendar information of personal account.

Please refer my answer similar to this in Q&A for detailed description.

Answer 2

Short Version
I was missing the application permissions and assumed that they are assigned on the level of security group . Only restriction happen on that level.

Long Version
The updated mental model looks like this:

It means that the application permissions for MS Graph API are required.
The security group is only restricting / limiting the access to the users mentioned in the policy .