How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?
I have written this code - this API is supposed to return user's information list of my Azure AD app (has delegated permission - User.ReadBasic.All). I have done settings for
"TenantId": "","ClientId": "" & "ClientSecret": ""
in appsettings.json file. But I am getting an "401 Unauthorized" error even if I sent the request with token from Postman.
namespace WebApplication4.Controllers
{
[Route("api/[controller]")]
[ApiController]
public class UsersController : ControllerBase
{
private readonly ITokenAcquisition _tokenAcquisition;
public UsersController(ITokenAcquisition tokenAcquisition)
{
_tokenAcquisition = tokenAcquisition;
}
[HttpGet]
public async Task<IActionResult> GetUsers()
{
try
{
// Acquire the access token for Microsoft Graph
var token = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { "User.ReadBasic.All", "User.Read" });
// Create the GraphServiceClient with an authentication provider
var graphClient = new GraphServiceClient(new AuthProvider(token));
var usersRequestBuilder = graphClient.Users;
var users = await usersRequestBuilder
.GetAsync(requestConfiguration: request =>
{
request.QueryParameters.Select = new[] { "displayName", "userType", "mail" };
});
return Ok(users);
}
catch (Exception ex)
{
return StatusCode(StatusCodes.Status500InternalServerError, "An error occurred while fetching users.");
}
}
private class AuthProvider : IAuthenticationProvider
{
private readonly string _token;
public AuthProvider(string token)
{
_token = token;
}
public async Task AuthenticateRequestAsync(RequestInformation request, Dictionary<string, object>? additionalAuthenticationContext = null, CancellationToken cancellationToken = default)
{
// Set the Authorization header
request.Headers.Add("Authorization", $"Bearer {_token}");
await Task.CompletedTask;
}
}
}
}
I am attaching the image - This is how I've added token in request header.
I am also getting the correct token. But when I am sending the get request I am getting 401 Unauthorized. Instead I want the user info.
What am I doing wrong?
Solution
The error you are facing is due to not configuring the Scope in the appsettings.json.
I added the Scope as access_as_user in the Azuree AD app as shown below.
appsettings.json :
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "<tenantID>",
"ClientId": "<clientID>",
"Scopes": "access_as_user"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"MicrosoftGraph": {
"BaseUrl": "https://graph.microsoft.com/v1.0"
}
}
Below is the complete ASP.NET Web API code to authenticate and get a list of user information from an Azure AD app by calling the Microsoft Graph API.
UsersController.cs :
using Microsoft.AspNetCore.Mvc;
using Microsoft.Graph;
using Microsoft.Identity.Web;
using System.Net.Http.Headers;
namespace WebApplication5.Controllers
{
[Route("api/[controller]")]
[ApiController]
public class UsersController : ControllerBase
{
private readonly ITokenAcquisition _tokenAcquisition;
private readonly ILogger<UsersController> _logger;
public UsersController(ITokenAcquisition tokenAcquisition, ILogger<UsersController> logger)
{
_tokenAcquisition = tokenAcquisition;
_logger = logger;
}
[HttpGet]
public async Task<IActionResult> GetUsers()
{
try
{
var token = await _tokenAcquisition.GetAccessTokenForUserAsync(new[] { "User.ReadBasic.All", "User.Read" });
var graphClient = new GraphServiceClient(new AuthProvider(token));
var users = await graphClient.Users
.Request()
.Select(u => new { u.DisplayName, u.UserType, u.Mail })
.GetAsync();
return Ok(users);
}
catch (Exception ex)
{
_logger.LogError(ex, "An error occurred while fetching users.");
return StatusCode(StatusCodes.Status500InternalServerError, "An error occurred while fetching users.");
}
}
private class AuthProvider : IAuthenticationProvider
{
private readonly string _token;
public AuthProvider(string token)
{
_token = token;
}
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", _token);
await Task.CompletedTask;
}
}
}
}
Program.cs :
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Identity.Web;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"))
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraph"))
.AddInMemoryTokenCaches();
builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
var app = builder.Build();
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
I granted admin consent for User.ReadBasic.All and User.Read as shown below.
Postman Output :
In Postman, I configured the Authorization header with the following values.
Make sure to add the Scope as below in the Postman.
Scope : api://<clientID>/access_as_user
I added the below callback URL from Postman to the Azure AD app's Authentication settings as a Web URI.
https://oauth.pstmn.io/v1/callback
I successfully retrieved the user information list from the Azure AD app by calling the Microsoft Graph API in Postman, as shown below.
- Not much difference between ASP.NET Core sync and async controller actions
- Html number input handling in blazor
- Command dotnet ef not found
- Official documentation for JwtBearer middleware/configuration via appsettings.json?
- There was no runtime pack for Microsoft.AspNetCore.App available for the specified RuntimeIdentifier 'browser-wasm'
- Azure Blob Upload not working in ASP .Net Core Application
- Page has a binding model issue, along with some strange behaviour in the OnPost method
- The constraint reference 'string' could not be resolved to a type. (netcoreapp3.0)
- How to detect how long since a user's payment failed?
- How to model a target class for receiving a JSON HTML response in .NET 5
- BindRequired on DateTime
- How to override ASP.NET Core configuration array settings using environment variables
- How to disable warnings at solution level in .NET projects
- Get Current User in a component
- Frontend not available when front and back on same Web App Azure
- Dependency injection in custom attribute
- Blazor: Reference to child page displayed by RenderFragment Body
- How to predefine subscription prices and trial period?
- EF Core Many to Many Join Table with Extra Properties Not Working
- .net-core middleware return blank result
- Unable to resolve service for type 'System.String' while attempting to activate 'MyService'
- Publishing web api with swagger on IIS
- "Authorize" button not showing in Swagger UI (.NET 9)
- Migrate to .NET 9, Bad request (400) on controllers and API methods
- Add custom JwtBearerHandler to "AddMicrosoftIdentityWebApi" in .net7
- Stripe version 2 API?
- How to get view file content as plain string
- startup exception for aspnet core worker docker container attempting to set secret from env variable in Kubernetes
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?