Using Azure MS Graph API Service Account with Managed Identity
I have got my Azure Portal setup with an app registration and the associated managed identity for my web api as well. As confusing as it seemed I was able to deploy my app and I tested out a basic command to pull the list of users in my azure tenant as shown below with the commented out code. I am using a service account for everything but I wanted to pull the calendar for a specific user and see their data and it came back with the following error:
"Content type text/html does not have a factory registered to be parsed"
I then tried it for pulling that users email messages and got the same error when trying to return the result. My permissions in the enterprise application are as follows:
My code is as follows:
[HttpGet(Name = "GetCalendar")]
[OktaAuthorizeAttribute]
[EnableRateLimiting("api")]
public async Task<IActionResult> Get()
{
var credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new EnvironmentCredential());
string[] scopes = new[] { "https://graph.microsoft.com/.default" };
var graphServiceClient = new GraphServiceClient(
credential, scopes);
List<MSGraphUser> msGraphUsers = new List<MSGraphUser>();
try
{
//var result = await graphServiceClient.Users["dfasdfdfdsafklsaf-dfsdaf-sdfdf-d"].Events.GetAsync((requestConfiguration) =>
//{
// requestConfiguration.QueryParameters.Select = new string[] { "subject", "body", "bodyPreview", "organizer", "attendees", "start", "end", "location" };
//});
var result = await graphServiceClient.Users["dfasdfdfdsafklsaf-dfsdaf-sdfdf-d"].Messages.GetAsync();
//var users = await graphServiceClient.Users.GetAsync();
return Ok(result);
}
catch (Exception ex)
{
string msg = ex.Message;
return Ok(msg);
}
}
Am I using the service account incorrectly in general or in my code? I know to do things on behalf of the user I would authorization flow and I am using client credential flow but when I look at the descriptions of these permissions I set (ie calendar.readwrite : Allows the app to create, read, update, and delete events of all calendars without a signed-in user.) it makes me think I should have access to ALL users so even the ones below.
I was thinking it could be using the Users[""] , i tried the email address and also the id from the user query I was able to pull originally since it gives it and nothing.
I agree with @Nick.McDermaid, it is not an authorization issue.
I created an Azure Web App and turned-on Identity like below:
Now, I assigned permissions to the Enterprise application like below:
Generated the access token via Kudu like below:
$resourceURI = "https://graph.microsoft.com"
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&api-version=2019-08-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
Check if the access token has proper permissions by decoding the token:
I tried to retrieve user by using the above access token successfully:
https://graph.microsoft.com/v1.0/users/UserID
The error "Content type text/html does not have a factory registered to be parsed" usually occurs if the response is not in the expected format that is the response must be in JSON format.
The error might occur due to several reasons like:
- The proxy server between web app and the Microsoft Graph API is returning an HTML response.
- The Microsoft Graph API is returning an HTML response due to an issue with the code.
- The response content type might have not set to
application/json.
To resolve the error, Install Fiddler and check the HTTP traffic between web application and the Microsoft Graph API.
You can also make use of Microsoft Graph Developer Proxy by Sébastien Levert to check the Microsoft Graph request details.
- Use the generated access token and in the Microsoft Graph API to check if the request works.
- Try making use of
newtonsoft.jsonlibrary and check.
If still the issue persists after the above changes, then make use of Authorization code flow and check.
UPDATE:
To resolve the issue, upgrade to a business package, assign the user to license and then set up.
Reference:
azure - Content type text/html does not have a factory registered to be parsed by Glen Scales.