Search code examples
node.jsazure-active-directorymicrosoft-graph-apipassport.jsmicrosoft-graph-calendar

Error trying to access other tenant users calendars, using MS Graph API

I have a node.js/express application. I am trying to use the Microsoft Graph API to fetch users' Calendars [read-only].

OAuth2 library for login: passport-microsoft npm module.

I followed the following steps in the Azure Portal:

  1. Go to Active Directory

  2. Click on App Registrations in the left pane

  3. Click on New Registration and create an app
  4. Go to the new app
  5. Click on Authentication in the left panel and add redirect URI's

  6. Go to API Permissions and enable the following :

    a. Delegated: Calendars.Read, Calendars.Read.Shared, profile

  7. Provide Admin Consent for all the permissions that require it.

However, only users who belong to my azure organisation, under which I have registered my web application, are able to login.

Other organisation users are unable to login. I get the following error message: 

2019-11-11 10:16:35 default[20191109t101750]  InternalOAuthError: failed to fetch user profile
2019-11-11 10:16:35 default[20191109t101750]      at /srv/node_modules/passport-microsoft/lib/strategy.js:86:29
2019-11-11 10:16:35 default[20191109t101750]      at passBackControl (/srv/node_modules/oauth/lib/oauth2.js:132:9)
2019-11-11 10:16:35 default[20191109t101750]      at IncomingMessage.<anonymous> (/srv/node_modules/oauth/lib/oauth2.js:157:7)
2019-11-11 10:16:35 default[20191109t101750]      at IncomingMessage.emit (events.js:203:15)
2019-11-11 10:16:35 default[20191109t101750]      at IncomingMessage.EventEmitter.emit (domain.js:466:23)
2019-11-11 10:16:35 default[20191109t101750]      at endReadableNT (_stream_readable.js:1145:12)
2019-11-11 10:16:35 default[20191109t101750]      at process._tickCallback (internal/process/next_tick.js:63:19)

You can read my previous question for reference here

Solution

  • Registering the app as Multi-Tenant and doing the admin consent for your own tenant is not enough.

    You need to do the admin consent for this Multi-Tenant Azure AD app against the other tenants.

    To grant admin consent through a URL request:

    Construct a request to login.microsoftonline.com with your app configurations and append on &prompt=admin_consent.

    This URL will look like: https://login.microsoftonline.com/<tenant-id of other tenant>/oauth2/authorize?client_id=<client id>&response_type=code&redirect_uri=<redirect URI>&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent

    After signing in with admin credentials of other tenant, the app has been granted consent for all users in that tenant.