Search code examples
microsoft-graph-api

Get user photo by graph API - started getting "forbidden by policy"

I am using Microsoft Graph API to get user photos. I started receiving 403 error with "ForbiddenByPolicy".

This call:

https://graph.microsoft.com/v1.0/users/<userid>/photo/$value

Returns now:

{
    "code": "ForbiddenByPolicy",
    "message": "invalid_role",
    "innerError": {
       ....
    }
}

Note that the call below still succeeds and returns user info:

https://graph.microsoft.com/v1.0/users/<userid>

Until recently, the "photo" call was also working fine. It is still working fine for myself (but not for other users). Is this a new change in Graph API? Is this a new bug in Graph API?

The consent is given for the "User.Read" and "User.BasicRead.All" scopes.

--- the inner error

{
    "date": "2023-08-14T09:06:26",
    "request-id": "40ed6973-e474-4bfa-872e-5cd5aa55d513",
    "client-request-id": "40ed6973-e474-4bfa-872e-5cd5aa55d513"
}

Another example (graph explorer)

https://graph.microsoft.com/v1.0/users/<somemail>/photo/$value
{
    "error": {
        "code": "ForbiddenByPolicy",
        "message": "invalid_role",
        "innerError": {
            "date": "2023-08-14T09:10:08",
            "request-id": "2552817c-471f-412b-9768-bafd2d5bd437",
            "client-request-id": "53131fc3-c103-9f2e-f5ec-7afa217dbf7d"
        }
    }
}

Decoded token (to make sure the "User.BasicRead.All" present:

{
  "aud": "00000003-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/e2eaf3b1-beaf-47c8-aebd-9ed8150e1671/",
  "iat": 1693391362,
  "nbf": 1693391362,
  "exp": 1693478062,
  "acct": 0,
  "acr": "1",
  "aio": "AVQAq/8UAAAA1MIZNHNfR80E6+9zD4ufcmxQJq9szF5kKTaUqYE9Grp415NSwIu8N6cUoKBt7YwAlacVWbAGujJVQ8fmD2xmbe7X0UXw/a9LpSKmWG/KDJw=",
  "amr": [
    "pwd",
    "mfa"
  ],
  "app_displayname": "Graph Explorer",
  "appid": "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
  "appidacr": "0",
  "family_name": "***",
  "given_name": "***",
  "idtyp": "user",
  "ipaddr": "*****",
  "name": "******",
  "oid": "f551a47b-7265-4e25-a3e6-2b933b899cf6",
  "platf": "3",
  "puid": "1003200094407824",
  "rh": "0.ASEAsfPq4q--yEeuvZ7YFQ4WcQMAAAAAAAAAwAAAAAAAAAAhAI8.",
  "scp": "Calendars.Read Channel.ReadBasic.All DelegatedPermissionGrant.ReadWrite.All email Files.Read GroupMember.Read.All openid profile Tasks.ReadWrite Team.ReadBasic.All TeamSettings.Read.All User.Read User.ReadBasic.All",
  "signin_state": [
    "kmsi"
  ],
  "sub": "2pAn2I8jpIxyOsihr29VT51reFEl4n58Q4QbHciuv4A",
  "tenant_region_scope": "EU",
  "tid": "e2eaf3b1-beaf-47c8-aebd-9ed8150e1671",
  "unique_name": "*****",
  "upn": "******",
  "uti": "FXN4CMLDXEiyMnxqsqVgAA",
  "ver": "1.0",
  "wids": [
    "11648597-926c-4cf3-9c36-bcebb0ba8dcc",
    "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
    "69091246-20e8-4a56-aa4d-066075b2a7a8",
    "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
    "75941009-915a-4869-abe7-691bff18279e",
    "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
    "cf1c38e5-3621-4004-a7cb-879624dced7c",
    "a9ea8996-122f-4c74-9520-8edcd192826c",
    "baf37b3a-610e-45da-9e62-d9d1e5e8914b",
    "b79fbf4d-3ef9-4689-8143-76b194e85509"
  ],
  "xms_cc": [
    "CP1"
  ],
  "xms_ssm": "1",
  "xms_st": {
    "sub": "SB91M9_xYO6hFj5HnPTKFP5P04-mXneD0fmsFl59Ulo"
  },
  "xms_tcdt": 1478011165,
  "xms_tdbr": "EU"
}
Solution

  • The issue has been fixed by Microsoft (for me, it just started working again 19.09.2023).