Legacy / Azure AD Graph API - App Permissions

Question

Hi

I'm wanting an azure ad application to have the directory.read.all permission scope so it can read the directory.

What URL needs constructing to be able to do this?

Need to be in the legacy graph api

Cheers

Answer 1

@Chris Peacock , Inorder to this, you would need to provide the scope parameter with value "directory.read.all" while requesting a code/token from AAD, based on the OAuth flow you are using in your code.

For eg: In case you are using Client Credential Flow of OAuth, then you would need to specify the scope parameter with the value "directory.read.all" and send that request to the /token endpoint of AAD. But, in case you are using Authorization Code Grant Flow, then you need to specify the scope parameter with the value "directory.read.all" and send that request to the /authorize endpoint of AAD.

Note: While using the scope parameter, you would have to make the request to the v2.0 endpoint of AAD.

Sharing the sample requests for Authorization Code Grant Flow of OAuth2.0:

Sample Request 1: https://login.microsoftonline.com/soumimsft.onmicrosoft.com/oauth2/v2.0/authorize?client_id={client ID of the app}&response_type=code&redirect_uri={app's redirect uri}&response_mode=fragment&scope=directory.read.all&state=12345

Note: It should be &scope=directory.read.all in the request after response_mode=fragment. Somehow scope is getting listed as >ope.

Incase you want to use the v1.0 endpoint, then you need to make sure that you have added the permission "directory.read.all" in the app registration's API permissions section and then you can use the request listed below:

Sample Request 2: https://login.microsoftonline.com/soumimsft.onmicrosoft.com/oauth2/authorize?client_id={client ID of the app}&response_type=code&redirect_uri={app's redirect uri}&response_mode=fragment&resource={resource name for which the code is being requested for. Eg: https://graph.microsoft.com}&state=12345&nonce=12345

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

Answer 2

Thanks

What is the state=12345 doing?

Answer 3

@soumi-MSFT

I did manage to get this working, I believe. When I use this URL it did ask to log in using an Azure AD admin account, and then it showed a message about what permissions it was about to allow.

https://login.microsoftonline.com/TENANTNAME.onmicrosoft.com/oauth2/v2.0/authorize?client_id=CLIENTID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=fragment&scope=directory.read.all&state=12345

However, the same issue occurs.

Let me throw some context here. We are using Environment Variables with Terraform. When we try to retrieve data from Azure AD we see this error. Others have reported this, and the fix was to apply permissions to the Legacy Graph API:

Error: Error listing Service Principals: graphrbac.ServicePrincipalsClient#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-03-16T11:40:19","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":XXXXXXX