Why am I Getting "401 Unauthorized" for Microsoft Graph API Call?
Question
I created the app in Tenant A and added it to Tenant B. I have granted the permissions in both tenants. Why am I getting this response every time I make an API call to the app?
resulted in a `401 Unauthorized` response: {"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be un (truncated...)
Here is the PHP request that I'm making (I am using the client id and client secret from the app in Tenant A):
<?php
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use Microsoft\Graph\Graph;
$guzzle = new \GuzzleHttp\Client();
$tenantId = 'common';
$clientId = 'ccc-ddd-fff';
$clientSecret = 'xxx-yyy-zzz';
$url = 'https://login.microsoftonline.com/' . $tenantId . '/oauth2/token?api-version=1.0';
try {
$token = json_decode($guzzle->post($url, [
'form_params' => [
'client_id' => $clientId,
'client_secret' => $clientSecret,
'resource' => 'https://graph.microsoft.com/',
'grant_type' => 'client_credentials',
],
])->getBody()->getContents());
$accessToken = $token->access_token;
} catch (\Exception $e) {
print $e->getMessage();
}
$graph = new Graph();
$graph->setAccessToken($accessToken);
try {
print_r($graph->createRequest("GET", '/users/email@email.com/messages/xxxxxxxxxxxxx==')->execute());
} catch (\Exception $e) {
print $e->getMessage();
}
Both tenants have these permissions granted: Permissions in Tenant A and B
3 answers
solution1
0 2021-12-29 06:46:18
Firstly, according to the api document , you'd better to add Mail.ReadBasic.All application permission, but I'm not sure if it influenced your calling here.
Your issue mainly came from that you used $tenantId = 'common'; , you should set it as the tenant name (such as xxx.onmicrosoft.com) you'd like to calling the api for. I mean that if you wanna call /users/xxx@tenantA.com/messages , you should put tenantA's tenant id/name to the $tenantId variable, but when you wanna call /users/yyy@tenantB.com/messages , you should set tenantB's.
Screenshot below showed the scenario when I used a token generated by common but not my tenant name.
solution2
0 2021-12-29 09:31:50
401 Unauthorized error: Is your token valid?
Make sure that your application is presenting a valid access token to Microsoft Graph as part of the request. This error often means that the access token may be missing in the HTTP authenticate request header or that the token is invalid or has expired. We strongly recommend that you use the Microsoft Authentication Library (MSAL) for access token acquisition. Additionally, this error may occur, if you try to use a delegated access token granted to a personal Microsoft account, to access an API that only supports work or school accounts (organizational accounts).
You can always leverage jwt.ms to check claims on your token. Use this and check if you have the necessary permissions to call an API endpoint.
solution3
0 ACCPTED 2022-01-05 16:12:04
What I needed to do was prompt the Microsoft admin to grant permissions using a link similar to this one. Merely adding the enterprise from the Microsoft
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=offline_access+openid+profile+User.Read+Mail.ReadWrite+Mail.Send
&response_type=code
&client_id=a62b0808-2b1f-4efc-a3d6-ad1223dc06a9
&redirect_uri=https://myurl/blah.html
&response_mode=query
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.