How to retrieve a list of OAuth scopes for authorized Azure AD applications using Microsoft Graph API?
To clarify, I have limited knowledge about Azure AD. I'm trying to make a list of the OAuth scopes for applications that users have authorized. For example, when a user clicks on "Login with Microsoft," an application might request access to view the user's identity, read their email, or access their OneDrive files.
In Google Workspace, you can find this information using the following link: https://developers.google.com/admin-sdk/directory/reference/rest/v1/tokens?hl=en
I would appreciate any guidance. I have created a Developer Account in Microsoft 365 and have used several applications, but I have not been able to find a user interface or method using the Microsoft Graph API to obtain this information.
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and granted API permissions:
In the Azure Enterprise Applications, search your application and copy the ObjectID of Service Principal:
To list the OAuth scopes for authorized Azure AD applications, try the below:
GET https://graph.microsoft.com/v1.0/servicePrincipals/ServicePrincipalObjID/oauth2PermissionGrants
Output:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#oauth2PermissionGrants",
"value": [
{
"clientId": "xxxx",
"consentType": "AllPrincipals",
"id": "xxxx",
"principalId": null,
"resourceId": "xxxx",
"scope": "profile offline_access User.Read openid email"
}
]
}
For example, when a user clicks on "Login with Microsoft," an application might request access to view the user's identity, read their email, or access their OneDrive files.
To achieve your scenario, create an Azure AD Application and assign the required API permissions:
To sign-in the user to the Application, I generated authorization code by using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The auth code got generated successfully like below:
By using the below parameters, I generated the access token like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
When I decoded the token, the scopes are like below:
By using the above access token, you can call the APIs like below:
To get the signed-in user details, I used below query:
https://graph.microsoft.com/v1.0/me
You can configure the graph queries in your code and access them based on your requirement.
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs