MS GraphAPI - Permissions not showing in Token
I'm working on my first application using MS Graph API, and I'm struggling with the permission configuration/usage.
Problem description
I'm using Postman to test my configuration before coding actual stuff, I'm accessing the API on behalf of an user (me). I followed both those guides in the docs:
I want to be able to:
- Read and Write calendar events, on behalf of an user
- Read the user's contacts
I configured the app and currently I have those permission set:
With this configuration, I can get an access token with postman, and with this token access the Calendar apis, but get an auth error accessing the /people api with this 403 response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
Additionally, this gets printed in the Postman console:
You need to add user delegated permissions in your application to at least People.Read in portal.azure.com and then consent as user or Grant admin consent in portal. Then, go to the Delegated folder > Authorization tab > scroll down and click on Get New Access Token button.
The configured People.Read permission do not show up in the received token: Postman Access Token modal:
Decoded Token:
What have I tried
Online search for the problem do not give me relevant results, except from this. The answer on the link got me tho this that seems to be relevant, but can't find a way to operate on the page itself:
I obviously tried to logout/login several times and re-get access tokens, still, no People.Read on the token.
What am I missing?
Step 5 in Use Postman with the Microsoft Graph API says "leave all the fields as pre-configured", including the "Scope" field, which by default is set to https://graph.microsoft.com/.default:
Using the .default scope value like this means the app is saying: "I would like access to the Microsoft Graph resource service (https://graph.microsoft.com), for whatever delegated access has been granted on behalf of the signed-in user. If no access has been granted yet, attempt to prompt the user for consent for the permissions configured on the application."
This means that as soon as any delegated permissions have been granted for that client app, that API, and that user, the list of requested permissions configured on the app registration is ignored entirely.
In your case, Calendars.Read, Calendars.ReadWrite, and Calendar.ReadBasic are already granted (but People.Read is not granted), so that's why you'll keep seeing only those three permissions, no matter how often you sign in again or get a new token.
The best thing to do here is to explicitly identify which scopes your app (or Postman, in this case) needs, by directly naming them in the "Scopes" parameter, instead of using .default: https://graph.microsoft.com/Calendars.ReadWrite https://graph.microsoft.com/People.Read.
In this case, we're identifying the target resource (API) as Microsoft Graph, with the prefix https://graph.microsoft.com/ prefix. When the resource identifier is omitted, it is assumed to be Microsoft Graph, so you could shorten this by just asking for Calendars.ReadWrite People.Read:
This is the same pattern you'll want to follow when building your real app (though of course you'd be using a library such as MSAL for all the sign-in and token acquisition).
- Combine rows if the dates exist in another row
- Distinguish between two maximum values in a column with Power Query
- Power Query Conditional JOIN - JOIN with WHERE clause
- Calculate combinations for a range of text values in excel
- How to update a column's values in Power BI M Language
- What's the difference between DAX and Power Query (or M)?
- Sorting issue when consolidating monthly data into a year to date file. Using query, sorting by day, time, and letter
- Power Query `List.Generate` runs too slow
- Custom Colum based on specific dates in powerquery
- How do I properly use table.group in a PowerQuery query to dynamically summarize different rows and columns?
- Excel Power Query syntax issue transform multiple columns of records
- How to capitalize only first letter of a sentence
- Power Query Import For Power BI with group by on SelectRows
- Get data from config table cell when loading data source with power query
- Translate Excel Formula into Power Query
- Counting matching pairs of letters in lists of bigrams in Power Query M
- Bigrams of a string in Power Query M
- Power Query code to refer to another query (and how buffering works)
- M code for the equivalent of of Left (string, len(string)-11)
- How to add a missing column to the Transform Sample File
- How to add or insert ' (single quotes) for every string in a list in which strings are separated by commas in Power Query
- Power BI M code Split column from Lowercase to Uppercase won't include diacritics (accents)
- M Code(Power Query) to Remove Empty columns that runs fast
- How to find the value with date closest to another date
- Error when build AOSP 14 - internal error: undefined variable CTS_TEST_SUITES_DEFAULT
- Call a table using a dynamic identifier
- Problem getting the value from a cell using M in excel
- How to rename columns based on the data within them in Power Query M?
- Power Query return a field name based on parameter
- Power Query: after combining 2 tables got something strange