azure


How to authorize service to use Microsoft Graph user account without user interaction?


I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.
I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.
I am trying to use OAuth Resource Owner Password Credentials Grant.
I can get an authorization token like this:
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All
But the response only indicates scope User.Read:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1494467388",
"not_before": "1494463488",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0e...",
"refresh_token": "AQAB..."
}
And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:
Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
"value": []
}
When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.
I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.
Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?
If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?
Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:
After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .
Please let me know whether it helps.
The issue with this is due to permissions on the Graph API. The reason is since you are logged in under a specific user for the Microsoft Graph Explorer - you are able to see everything ... due to the fact you have authenticated as a single person ... the reason you see nothing is because the app-only permissions does not work.

Related Links

In Azure PowerShell, How can I create a new network without having to use Set-AzureVNetConfig?
Azure Service Bus AMQP Exception
Azure Service Bus Queue, Stuck Messages or Incorrect Message Count?
Azure SDK for .NET (VS2013) 2.5 requires Visual Studio 2013 update 3 or later
unable to login to Azure when setting up website in Visual Studio using MSDN
obscure azure storage account name
Azure returns 503, but access logs report 200
umbraco 7.2 on azure websites takes 1.5gb memory
How to get a token with a specific group claim from azure-active-directory
How do I set the machineKey for a Cloud Service running in Azure?
The subscription being used exceeds the cpu cores quota
Unable to verify custom .ninja domain for Azure website
Azure Notification Hub quota limits
Azure Service Bus Alternatives
Windows Azure and MVC5 - How to use same database schema for desktop and mobile versions?
How to Expose DocumentDB Attachments over Http?

Categories

HOME
unit-testing
prebuild
whitespace
pyusb
entity
microsoft-dynamics
python-xarray
drag
calayer
uwsgi
scrollbar
python-2.5
lazy-loading
helpers
swig
pcap
pwm
sencha-touch-2
missingmethodexception
nice-language
esri
number-formatting
google-geocoder
popupwindow
svn2git
imageshack
apex-code
ollydbg
server-sent-events
haxm
roo
data-science
paypal-rest-sdk
perl-module
vue2
dsx
extjs4
csr
es6-promise
httpexception
keyboard-maestro
move
azure-cdn
asyncsocket
wrk
gcc4.8
ternary
harvest-scm
untagged
lcov
qtcpserver
mapr
ipmi
android-chips
ocsp
activemodel
bash-completion
flotr2
trello.net
illegalstateexception
egl
wand
uikeyboard
sejda
database-tuning-advisor
symbian
heroku-toolbelt
kindlegen
tabbar
xsb
sigkill
chatjs
bit.ly
razor-2
sqlhelper
nhunspell
twill
jquery-backstretch
jquery-mobile-popup
execcommand
broadcom
argumentexception
file-structure
clean-urls
expressionvisitor
ruby-1.9.2
websolr
datatemplate
winamp
indextank
utility
palm-pre
xlink
docking
graceful-degradation

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App