Geek Answers Handbook

403 Forbidden from the Azure Graph API

I get a 403 Forbidden response from Azure AD when I try to create an application using the Graph API:

private static void CreateApplicationViaPost(string tenantId, string clientId, string clientSecret) { var authContext = new AuthenticationContext( string.Format("https://login.windows.net/{0}", tenantId)); ClientCredential clientCred = new ClientCredential(clientId, clientSecret); AuthenticationResult result = authContext.AcquireToken( "https://graph.windows.net", clientCred); HttpClient client = new HttpClient(); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken); const string json = @"{ displayName: ""My test app"", logoutUrl: ""http://logout.net"", identifierUris: [ ""http://identifier1.com"" ], replyUrls: [ ""http://replyUrl.net"" ] }"; HttpResponseMessage response = client.PostAsync( string.Format("https://graph.windows.net/{0}/applications?api-version=1.6", tenantId), new StringContent(json, Encoding.UTF8, "application/json")).Result; Console.WriteLine(response.ToString()); }

A client registered with Azure AD has all permissions: Permissions in Azure AD

What am I missing?

EDIT: I registered my own client in Azure AD and gave him permission to write to Windows Azure Active Directory. This code creates the application in Azure AD:

 private static void CreateApplicationViaPost(string tenantId, string clientId, string redirectUri) { var authContext = new AuthenticationContext( string.Format("https://login.windows.net/{0}", tenantId)); AuthenticationResult result = authContext.AcquireToken("https://graph.windows.net", clientId, new Uri(redirectUri), PromptBehavior.Auto); HttpClient client = new HttpClient(); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken); const string json = @"{ displayName: ""My test app1"", homepage: ""http://homepage.com"", logoutUrl: ""http://logout1.net"", identifierUris: [ ""http://identifier11.com"" ], replyUrls: [ ""http://replyUrl1.net"" ] }"; HttpResponseMessage response = client.PostAsync( string.Format("https://graph.windows.net/{0}/applications?api-version=1.6", tenantId), new StringContent(json, Encoding.UTF8, "application/json")).Result; Console.WriteLine(response.ToString()); }
+5
source share
3 answers

Changing the directory requires the consent of the admin user . Thus, you will need to get an access token from the user, for example. through OAuth, instead of a token for the client.

There are quite a few examples on GitHub that show an authorization flow, for example. https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet .

+5
source

Adding @MrBrink to the answer - you need to make sure that the person adding the permissions in the Azure Active Directory interface is actually the administrator. If you have access to Azure Active Directory and are not an administrator, it WILL still allow you to assign permissions - however, they will only apply to the user area.

+3
source

An alternative would be to use the ActiveDirectoryClient from Microsoft.Azure.ActiveDirectory.GraphClient of the NuGet package.

 private static async Task CreateApplication(string tenantId, string clientId, string redirectUri) { var graphUri = new Uri("https://graph.windows.net"); var serviceRoot = new Uri(graphUri, tenantId); var activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => AcquireTokenAsyncForUser("https://login.microsoftonline.com/" + tenantId, clientId, redirectUri)); var app = new Application { Homepage = "https://localhost", DisplayName = "My Application", LogoutUrl = "https://localhost", IdentifierUris = new List<string> { "https://tenant.onmicrosoft.com/MyApp" }, ReplyUrls = new List<string> { "https://localhost" } }; await activeDirectoryClient.Applications.AddApplicationAsync(app); Console.WriteLine(app.ObjectId); } private static string AcquireTokenAsyncForUser(string authority, string clientId, string redirectUri) { var authContext = new AuthenticationContext(authority, false); var result = authContext.AcquireToken("https://graph.windows.net", clientId, new Uri(redirectUri), PromptBehavior.Auto); return result.AccessToken; }
+2
source

More articles:


All Articles