azure


How to authorize service to use Microsoft Graph user account without user interaction?


I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.
I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.
I am trying to use OAuth Resource Owner Password Credentials Grant.
I can get an authorization token like this:
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All
But the response only indicates scope User.Read:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1494467388",
"not_before": "1494463488",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0e...",
"refresh_token": "AQAB..."
}
And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:
Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
"value": []
}
When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.
I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.
Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?
If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?
Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph:
After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .
Please let me know whether it helps.
The issue with this is due to permissions on the Graph API. The reason is since you are logged in under a specific user for the Microsoft Graph Explorer - you are able to see everything ... due to the fact you have authenticated as a single person ... the reason you see nothing is because the app-only permissions does not work.

Related Links

Can't get client-credentials access token to authorize Power BI
Programmatically Get VM Instance Network & Memory Info
How to access vm storage from webjob?
On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
How to access Azure Storage Logs via http?
Code deployment in different webapps from one Bitbucket at once
Azure Active Directory Single Sign On Multiple tokens detected Issue
Yeoman generator gulp-angular deployment on Azure websites
What is the exact difference between native app and web app in Azure Active Directory
ASP.NET WebAPI, CORS and Azure AD - Authorization has been denied for this request
Monitoring a continuous Azure Web Job
Azure Backup Agent Issue
Why are Azure Resource Groups associated with a specific region?
Azure Storage Error: Object reference not set to an instance of an object
Is there a limit to the number of files that can be stored in an Azure blob storage?
is there a way to write stream analytics output to Azure documentdb

Categories

HOME
lsf
sharepoint-2013
x-editable
servlets
watson
haskell-stack
isis
quickblox
passwords
weblogic11g
intel-xdk
encog
oracle-adf
c++14
sony-camera-api
py.test
python-xarray
eps
light-inject
executable
threadpool
openui5
union
avr
group-by
jsqmessagesviewcontroller
aar
ssrs-tablix
abaqus
gyroscope
stm32f4discovery
contains
advantage-database-server
sfsafariviewcontroller
nintex-workflow
haml
code-analysis
yii1.x
scalability
point-cloud-library
kprobe
pmd
toastr
google-shared-contacts
bcel
paypal-rest-sdk
vue2
microsoft-translator
signing
runc
symfony-process
pac
edeliver
wp-api
zfs
phasset
pulseaudio
pci
multistore
ternary
biological-neural-network
itertools
blocking
vb4android
xmllint
vb6-migration
target-platform
intrinsics
flotr2
highslide
vimeo-ios
php-opencloud
parsoid
domo
jedi
node-orm2
devenv
nolio
slick2d
first-class-functions
email-spam
keyboard-navigation
mydbr
b2b
keymapping
angularjs-google-maps
delphi-2009
antisamy
buildout
pubdate
adlds
couchpotato
nspersistentdocument
wpf-4.0
jmdns
maven-bundle-plugin
proxy-classes
openid4java
settings.bundle
ladon
n900
templatebinding
web-based
shareware

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App