How do I authorize a service to use a Microsoft Graph user account without user interaction?
I want my server application to interact with its own Excel files using Microsoft Graph. That is, the files belong to the application and not to the specific user of the application.
I registered the app with an Azure ID and granted the "have full access to all files available to users" permission to Microsoft Graph.
I am trying to use the Credentials grant for an OAuth resource owner password.
I can get the authorization token like this:
POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All
But the answer only shows the area User.Read
:
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "0",
"expires_on": "1494467388",
"not_before": "1494463488",
"resource": "https://graph.microsoft.com",
"access_token": "eyJ0e...",
"refresh_token": "AQAB..."
}
And when I try to list files in the One Drive account, I don't get an error, but the response contains no items:
Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...
Response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
"value": []
}
When I make the same request in Graph Explorer while logging into the same account, the response includes all items in that account of the same drive root.
I understand that Microsoft Graph does not currently support app-only file access if allowed through the OAuth Client Credentials Grant (as per the instructions for invoking Microsoft Graph into the service ), but since I am getting authorization for a specific user account (not just for the app), I expect to be able to access those user files.
Am I doing something wrong, or file access is not supported using the Credentials Credentials of the resource owner?
If the latter, how can I get my app to be able to use user credentials to manipulate Excel files through Microsoft Graph without user interaction?
UPDATE:
I had admin rights assigned to the account I am using and re-set Microsoft Graph permissions on the Azure Portal, but it still doesn't work for me.
Below are the details of the account I am using:
source to share
Try clicking Grant Permissions
(preferably using an administrator account) in the Required Permissions click after granting Allow access to all users available to Microsoft Graph:
After that, using the resource owner token, you will find Files.ReadWrite.All
in scp
. Then you can call the microsoft graph api to display the files.
Update
Below are the steps I use to make the resource owner flow:
-
register your own application, add "Full access to all files the user can get", delegate permission for Microsoft Graph (do not click the button
Grant Permissions
as shown above). using the password credentials of the resource owner Grant and get the access token, findUser.Read
inscp
:POST https://login.microsoftonline.com/common/oauth2/token Content-Type: application / x-www-form-urlencoded grant_type = password & client_id = XXXXXXXXXX & resource = https://graph.microsoft.com/&username = XXXXXX & password = XXXXXXX
-
click the button
Grant Permissions
as shown in the picture above using the Credentials Credentials of the resource owner and get the access token you can findFiles.ReadWrite.All User.Read
inscp
:
source to share
The problem with this has to do with the rights to the Graph API. The reason is that you are logged in as a specific user for Microsoft Graph Explorer - you can see everything ... due to the fact that you are authenticated as one person ... the reason you cannot see anything is what app -one permissions don't work.
source to share