Mircosoft Graphs API /common vs /{{tenant}}

Question

I have created one App registration in my azure email named:john@xyz.com and I have configured redirect URI and client secrets in it and also given API permission to that app.

I have created one user in other tenant and tired to login in my app using his credential so first I have sign in with below url

https://login.microsoftonline.com/{{tenantId}}/oauth2/v2.0/authorize?client_id={{clientId}}&response_type=code&redirect_uri={{RedirectURI}}&response_mode=query&scope={{Group.Read.All User.Read User.Read.All}}&state=abc

After generate access token I got this list of permission: Group.Read.All GroupMember.Read.All IdentityProvider.Read.All openid User.Read User.Read.All profile email

in API response I was able use Microsoft Graph APIs /groups & /me but when trying to call /users endpoint getting below error

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2024-05-09T14:57:11",
            "request-id": "eea77793-9d1f-4f36-80ec-4e1b479274c2",
            "client-request-id": "eea77793-9d1f-4f36-80ec-4e1b479274c2"
        }
    }
}

Same thing it is working when I use /common endpoint. I was able to successfully call /me,/groups,/users endpoint

Thank you for any type of support. Just I need to understand difference between /common vs /{{tenantId}}

Answer 1

I suggest you to decode the access token (jwt.ms) and ensure proper permissions are granted in the target tenant for the requested operations (User.Read.All, etc.).

• /common Endpoint:

  • Used for multi-tenant applications where users from any tenant can authenticate.
  • Access token obtained can have broader permissions across multiple tenants.

• /{{tenantId}} Endpoint:

  • Targets authentication for a specific tenant only.
  • Access token is scoped to operations within the specified tenant.