azure


How to authorize service to use Microsoft Graph user account without user interaction?


I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.
I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.
I am trying to use OAuth Resource Owner Password Credentials Grant.
I can get an authorization token like this:
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All
But the response only indicates scope User.Read:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1494467388",
"not_before": "1494463488",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0e...",
"refresh_token": "AQAB..."
}
And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:
Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
"value": []
}
When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.
I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.
Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?
If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?
Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:
After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .
Please let me know whether it helps.
The issue with this is due to permissions on the Graph API. The reason is since you are logged in under a specific user for the Microsoft Graph Explorer - you are able to see everything ... due to the fact you have authenticated as a single person ... the reason you see nothing is because the app-only permissions does not work.

Related Links

Serialize Object Azure Mobile Services
Azure Management Portal Silverlight Version
Deploy to azure then get 403 - Access Forbidden
Auto-expire orphaned Subscription (Azure ServiceBus Messaging SubscriptionClient)
HTTP code 403: Forbidden from Microsoft visual studio team foundation service 2012 cloud service
Azure wildcard subdomains
West Europe Cloud Service on Azure shows in the United States
Cloud Agnostic Tool On Any IaaS Based Cloud
Is there a way to edit site content when locally debugging an Azure web role?
StreamInsight Austin Sample Service Bus 404
Azure Table Storage Projection Query and Not Implemented Exception
Why does Web outputCache config section pointing at Azure Shared Cache slow down every request?
Azure Blob storage Download
How can I use TPL with the new APIs in Azure StorageClient 2.0 and newer?
Windows Azure - Run logic on operations coming from remote clients using storage services directly
How to upload a Service Package to a Blob in Azure

Categories

HOME
validation
demandware
gwt
sharepoint-2013
design
jqgrid
open-source
weblogic11g
intel-xdk
encog
active-directory
openvpn
wikipedia-api
webdriver-io
classloader
zipfile
superfish
boxfuse
doorkeeper
oracle-ucm
executable
development-environment
zend-expressive
rebus
android-dialogfragment
image-gallery
syswow64
org-mode
durandal-2.0
haml
liferay-aui
intersystems
stylesheet
listbox
physics
x-sendfile
reformatting
android-imageview
photo-gallery
seh
pdfstamper
phing
increment
ubuntu-server
zipline
ecmascript-4
jetty-9
ibm-wcm
linear
using
sweet.js
oracle-aq
move
ewsjavaapi
federation
uservoice
multistore
soql
jawr
itertools
autogen
jsbin
olingo
activity-diagram
struts1
telecommunication
4d
sql-server-2016-express
ios-frameworks
oracle-policy-automation
bash-completion
accounts
main-activity
xlform
asp.net-webpages
coldfusion-10
session-replication
push-api
julian
multiscreen
react-rails
targetinvocationexception
simpleadapter
ratingbar
before-save
dynamic-data-display
nitrogen
magento-1.6
css3pie
antisamy
ramdisk
cfile
dfsort
data-dictionary
programmers-notepad
rcu
git-gui
globbing
gdb-python
double-precision
nspersistentdocument
dynamic-usercontrols
wescheme
domain-mapping
vim-fugitive
j#
self-organizing-maps
ed
livevalidation
mate
blackberry-jde
servletunit
rails-3.1
jquery-1.3.2
jboss-cache
68hc11
database-dump
xlink
large-teams
reference-library

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App