Search code examples
azureazure-active-directoryonedrivemicrosoft-graph-api

How to authorize service to use Microsoft Graph user account without user interaction?

I want my server application to interact with it's own Excel files using Microsoft Graph. That is, the files belong to the application, not a particular user of the application.

I have registered an application with Azure ID and granted "Have full access to all files user can access" permission for Microsoft Graph.

I am trying to use OAuth Resource Owner Password Credentials Grant.

I can get an authorization token like this:

POST https://login.microsoftonline.com/common/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
&resource=https://graph.microsoft.com
&client_id=<ID of application registered with Azure AD>
&username=<Microsoft username>
&password=<password>&scope=Files.ReadWrite.All

But the response only indicates scope User.Read:

{
  "token_type": "Bearer",
  "scope": "User.Read",
  "expires_in": "3600",
  "ext_expires_in": "0",
  "expires_on": "1494467388",
  "not_before": "1494463488",
  "resource": "https://graph.microsoft.com",
  "access_token": "eyJ0e...",
  "refresh_token": "AQAB..."
}

And when I try to list files in the account's One Drive, I do not get an error, but the response contains no items:

Request:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
Authorization: bearer eyJ0e...

Response:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('<account ID>')/drive/root/children",
  "value": []
}

When I make the same request in Graph Explorer when logged in with same account the response includes all the items in that account's one drive root.

I understand that Microsoft Graph does not currently support application-only file access, when authorized via OAuth Client Credentials Grant (as per instructions for calling Microsoft Graph in a service), but since I am getting authorization for a particular user account (not just application) I would expect to get access to that users files.

Am I doing something wrong, or is file access not supported using Resource Owner Password Credentials Grant either?

If the latter, how can I achieve allowing my application to use user credentials to manipulate Excel files via Microsoft Graph without user interaction?

UPDATE:

I have had administrator permissions assigned to the account I am using, and re-set the application permissions for Microsoft Graph in the Azure Portal, but it still is not working for me.

Here are details of the account I am using:

enter image description here

Solution

  • Please try to click Grant Permissions(better using admin account) in "Required permissions" blade after granted "Have full access to all files user can access" permission for Microsoft Graph: enter image description here

    After that acquire token using Resource Owner Password flow , you will find Files.ReadWrite.All in scp claims . Then you could call microsoft graph api to list files .

    Update

    Here is the steps how i make the resource owner flow work :

    1. register a native app , Add the "Have full access to all files user can access" delegate permission for Microsoft Graph(don't click grant permissions button as above picture shown) . using Resource Owner Password Credentials Grant and get the access token ,only find User.Read in scp claim :

      POST https://login.microsoftonline.com/common/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=password&client_id=XXXXXXXXXX&resource=https://graph.microsoft.com/&username=XXXXXX&password=XXXXXXX

    2. click grant permissions button as above picture shown , using Resource Owner Password Credentials Grant and get the access token ,you could find Files.ReadWrite.All User.Read in scp claim :

    enter image description here