403 forbidden when calling Graph API from Postman but works fine from Graph Explorer
My aim is to get an application to interact with Azure Connectors. At the moment, I'm focusing on getting working connections before I dive into the actual code.
I am trying to get GET https://graph.microsoft.com/v1.0/external/connections to work. (doc)
On a test Azure tenant, I've set up an app registration for Single-page application allowing me to use the implicit OAuth 2.0 authentication flow. (Grants access tokens, not ID tokens, and I've allowed public client flows just in case)
Note that the simple get user request (no special permissions needed) works fine from Postman with this setup. (GET https://graph.microsoft.com/v1.0/me)
However, when I got to the actual connectors request, things stopped working. I set up Delegated permissions for ExternalConnection.Read.All. This permission is enough to get the request to work on Graph Explorer, but now I am getting 403 forbidden responses on Postman when the request is sent out (not the authentication request, which works fine and returns an access token).
I've tried adding application permissions on top of delegated permissions, to no avail.
I would like to keep the implicit flow if possible, I am just surprised by how difficult this is.
As mentioned in this MS Document, with the plans for removing third party cookies from browsers, the implicit grant flow is no longer a suitable authentication method.
I registered one Single-page application and granted same API permissions as below:
When I tried to fetch the external connections by generating token using implicit flow, I too got same error:
GET https://graph.microsoft.com/v1.0/external/connections
Response:
To resolve the error, I used Authorization Code(With PKCE) flow for generating access token via Postman and got the response successfully:
GET https://graph.microsoft.com/v1.0/external/connections
Response:
Make sure to include Origin header while generating token with Authorization code(with PKCE) flow for Single-page application:
Origin: <your redirect URL>
You can also use client credentials flow by granting permission of Application type and use it for fetching list of external connections like this:
GET https://graph.microsoft.com/v1.0/external/connections
Response:
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services
- port 7071 is unavailable. Close the process using that port, or specify another port using --port [-p]
- Azure - RBAC to Management Group
- Why is AVD remove client's maximize to current display option grayed out?
- Azure get EID List with API
- Synchronise Azure files to blob store
- trigger logic app from Azure Service bus in sequance