none
Call Graph API with token containing user object Id and User Name Identifier

    Question

  • Hello

    I am invoking Graph API and allowing the users to access the my application only if they are member of certain AD groups.

    While calling the graph API with token containing user object Id and User Name Identifier.

    Some users are able to access graph API and some users are not (403 Forbidden).

    let me know how to solve this issue. 

    Thursday, April 27, 2017 12:50 PM

All replies

  • Hello

    I am invoking Graph API and allowing the users to access the my application only if they are member of certain AD groups.

    While calling the graph API with token containing user object Id and User Name Identifier.

    Some users are able to access graph API and some users are not (403 Forbidden).

    let me know how to solve this issue. 

    Wednesday, May 17, 2017 3:16 AM
  • I would suggest creating a support incident.  I do not believe you will want to share the information that I will need to troubleshoot this issue in the forum.

    One thing you can check on your own.  Take a look a the JWTToken payload for a user that is working and one that is not working.  This will give you an indication of the permission scopes that are present in the working users and the ones that do not work.

    If you are using ADAl, is possible that you could be running into credential caching issues in the browser.  Try having the none working user run the application in an in private session to try and isolate the credential cache.

    Regards,
    MaxV (MSFT)

    Wednesday, May 17, 2017 3:51 PM
  • After decoding JWT token

    working user permission : "Directory.Read.All User.Read

    Not working user permissionUser.Read,

    But already set the permission application level for Graph API access .

    Tuesday, May 23, 2017 8:16 AM