azure


How to authorize service to use Microsoft Graph user account without user interaction?


I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.
I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.
I am trying to use OAuth Resource Owner Password Credentials Grant.
I can get an authorization token like this:
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All
But the response only indicates scope User.Read:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1494467388",
"not_before": "1494463488",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0e...",
"refresh_token": "AQAB..."
}
And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:
Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
"value": []
}
When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.
I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.
Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?
If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?
Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:
After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .
Please let me know whether it helps.
The issue with this is due to permissions on the Graph API. The reason is since you are logged in under a specific user for the Microsoft Graph Explorer - you are able to see everything ... due to the fact you have authenticated as a single person ... the reason you see nothing is because the app-only permissions does not work.

Related Links

Azure Service Bus and long processing messages
Inserting CUE OUT and CUE IN advertisment markers in azure media Service?
Routing in Azure IoT Hub
Azure Website doesnt detect Traffic Manager Change
Azure function precompiled timerTrigger error
Azure MobileServiceSync – How to Delete a local store record between multiple phones?
Desktop Applications on Azure
Deployment Failure On-premise Data Gateway Azure
Umbraco: An unexpected network error on Azure Web Apps
Application cannot write anythings in azure file share
Azure Blob Shared Access Signature will work or not on generating new Storage Access Key
How to track artifacts from an azure-arm build in Packer?
Graph API constantly returns Authorization_RequestDenied although permissions are granted
how to return a scarlar with let as method
delete dataset in azure
Thumbnail image generation taking too long time

Categories

HOME
validation
wpf
asp.net-identity
codenameone
sharepoint-2013
apache-pig
parse.com
phpmailer
condor
qualtrics
vast
gitlab-ci-runner
stm32f4discovery
nintex-workflow
atg
nested-set-model
apache-httpcomponents
centos6
esri
pdfa
simple-html-dom
android-arrayadapter
expression-trees
operator-keyword
ruamel.yaml
jtapi
vue-router
dlopen
phing
qweb
rights-management
h5py
wso2iot
plasticscm
procobol
mergesort
xargs
android-studio-2.1
hydra
manifoldjs
smartbanner
abbyy
breach-attack
callkit
kie-workbench
bootstrap-slider
mink
setwindowshookex
coldfusion-11
cufft
benerator
jquery-load
pddl
storage-duration
membership
armv7
dbfit
push-api
netbsd
cbc-mode
linegraph
bessel-functions
concurrentdictionary
datacontractserializer
grunt-contrib-copy
asp.net-apicontroller
mydbr
modalpopupextender
blazeds
buildout
jflow
osmf
applaud
timestamp-with-timezone
time-limiting
f2c
staging
nstreecontroller
custom-tag
help-authoring

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App