Search code examples
azureoauth-2.0azure-active-directoryadaloffice365api

Azure ADAL OutlookServiceClient cannnot get data for non-admin account

I am using Azure AD and Office 365 APIs to do the OAuth in my project. My problem is I can only have admin account (like "[email protected]") authorized and get data, but non-admin regular account (e.g., "[email protected]") cannot.

How I implement the OAuth2

  1. Get the Authorization code:

https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id={my client Id}&redirect_uri={redirect uri}&resource=https%3A%2F%2Foutlook.office365.com%2F&state={guid}

  1. Get access token and refresh token:
  TokenCache tokenCache = new TokenCache();
  ClientCredential credential = new ClientCredential(clientId, clientSecret);
  AuthenticationContext authContext = new AuthenticationContext(authorityUrl, tokenCache);
  AuthenticationResult authResult = authContext.AcquireTokenByAuthorizationCode(authorizationCode, new Uri(redirectUri), credential, recourceUri);
  string accessToken = authResult.AccessToken;
  string refreshToken = authResult.RefreshToken;
  1. Get user's data (e.g., calendar events):
  OutlookServicesClient outlookClient = new OutlookServicesClient(new Uri(recourceUri + "/api/v2.0"), async () => { return accessToken; });
  List<Event> microsoftEvents = new List<Event>();
  var events = await outlookClient.Me.Events.Take(10).ExecuteAsync();
  foreach (IEvent calendarEvent in events.CurrentPage)
  {
    Event microsoftEvent = new Event
    {
      Subject = calendarEvent.Subject,
      Body = calendarEvent.Body,
      Location = calendarEvent.Location,
      Start = calendarEvent.Start,
      End = calendarEvent.End
    };
    microsoftEvents.Add(microsoftEvent);
  }

Note:

  1. I am not sure if it is caused by Azure AD permission setting, so all available permissions are granted for "Windows Azure Active Directory" and "Office 365 Exchange Online" for now.
  2. I did not pay for this Azure AD. I have an Office 365 Developer Account, and there is a link to AAD inside of Office Admin Centers. Not sure if this is the reason. Do I need to pay for an additional AAD subscription?

Update on 11/2/2016

  1. Previous misunderstanding about accounts. Accounts like "[email protected]" are Office 365 accounts, not admin accounts. Hotmail accounts are actually regular microsoft accounts.

  2. Mentioned by Jason, that Azure v1 endpoints do not support for microsoft accounts authorization. This is mainly pointing to the Authorization code generation.

  3. The Azure AD application must be created in the new portal (https://apps.dev.microsoft.com). Otherwise, it would report Application not supported issue.

Solution

  • You said you granted ALL permissions for Exchange and Active Directory. Some of those permissions require an administrator, which is likely you're problem. You should only grant the permissions that your application requires.