Search code examples
phpmicrosoft-graph-apimicrosoft-graph-sdks

Creating users using the Microsoft Graph API (PHP)

Issue

I'm trying to build an app to integrate with the Microsoft Graph API.

I have an admin account in Azure, and have set up a new app through the portal. I've downloaded and installed the PHP SDK, and have managed to set everything up so that I can get a user successfully.

I can sign into the app and grant permissions to use my information (the permission I'm requesting is Directory.ReadWrite.All, but even just requesting User.ReadWrite.All is not working for me), however, my issue seems to be that I cannot access other users.

The following only returns my own user:

$graph = new Graph();
$graph->setAccessToken('/* SOMETOKEN */');
$users = $graph->createRequest('GET', '/users')
    ->setReturnType(User::class)
    ->execute();

POSTing a new user returns me a 404 error:

$newUser = new User();
$newUser->setAccountEnabled(true);
$newUser->setGivenName('first_name');
$newUser->setSurname('last_name');
$newUser->setUserPrincipalName('some.email@address.com');

$password = new PasswordProfile();
$password->setPassword('some_password');
$newUser->setPasswordProfile($password);

$user = $graph->createRequest('POST', '/users')
    ->attachBody($newUser)
    ->execute();

Returns:

{
    "error": {
        "code": "",
        "message": "No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:a8ef4446a149de4d')/profile?api-version=AGSV1-internal'.",
        "innerError": {
            "date": "/* timestamp */",
            "request-id": "/* an id */",
            "client-request-id": "/* an id */"
        }
    }
}

Even trying to use Microsoft's Graph Explorer is getting these same errors.

Am I right in thinking this could be an account setup issue?

Update

Here is the error message the Graph Explorer is returning

{
    "error": {
        "code": "",
        "message": "No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:a8ef4446a149de4d')/profile?api-version=AGSV1-internal'.",
        "innerError": {
            "date": "2020-11-30T16:51:41",
            "request-id": "743030b4-8835-4a9f-9e3e-d35919a1c289",
            "client-request-id": "c40cd440-d873-ba38-dce7-8669bc561e64"
        }
    }
}
Solution

  • I have resolved this.

    Issue

    The issue was in the permission request. My app was set up to allow personal accounts as well as work/school ones. Logging in with a personal account, my user was not able to grant the *.ReadWrite or *.All permissions.

    While I was getting a token back from the auth request, it only had the User.Read permission.

    Steps needed to get access to all users working

    1. Change the app in Azure to only accept work/school accounts
    2. When my app tries to authenticate, I needed to log in with a work/school account
    3. Granting the permissions for User.Read.All should now work
    4. Hitting the /users endpoint should return all users

    To get write working, I needed to register for a Partner Center MPN ID and associate that with my app in Azure.