Using Microsoft Graph PowerShell SDK to manage user consented permissions

The oAuth2PermissionGrant object keeps a record of user consented permissions (Delegated Permissions) in a tenant. There is one OAuth2PermissionGrant object (identified by Consent ID) for each combination of client application, resource application, and user. The sample PowerShell script in this post will perform the following tasks: Remove all MS Graph Delegated permissions (if any) for the user Perform user consent for an initial set of MS Graph permission Update the…

Read More

Receiving error “CompactToken parsing failed” when calling Microsoft Graph

You may receive the following 401 error calling MS Graph endpoint (https://graph.microsoft.com) { “error”: { “code”: “InvalidAuthenticationToken”, “message”: “CompactToken parsing failed with error code: 80049217”, “innerError”: { “date”: “2022-08-16T19:00:22”, “request-id”: “xxx”, “client-request-id”: “yyy” } } } What’s the cause of the error? The error typically happens due to the following reasons: There is no Bearer Access Token in the Request’s Authorization Header The value of the Authorization Header is in…

Read More

Using MS Graph to get both Interactive and non Interactive sign in events log

Microsoft Graph API can be used to get different types of Sign-In event similar to what’s available in the Azure AD portal As of this writing, this functionality is only available in the beta endpoint. By default the following MS Graph request only gets a list of interactive user sign-ins GET https://graph.microsoft.com/beta/auditLogs/signIns To pull the other types of Sign-In logw you will have to use signInEventTypes filter query as followed:…

Read More

Update your Azure AD-integrated applications to use TLS 1.2

Recently our support team has seen quite a few cases where customer applications have been working for years and recently started failing with one of the following error messages:. These errors are often seen in applications targeting an old version of .Net Framework. AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure ADIDX20804: Unable to retrieve document from:…

Read More

Troubleshooting 403 Authorization error when calling Microsoft Graph Security API

You may get the following 403 error when using Microsoft Graph Security API to call various end points (https://graph.microsoft.com/v1.0/security/alert, https://graph.microsoft.com/beta/security/secoreScores, etc…) “Auth token does not contain valid permissions or user does not have valid roles” Root Cause The above error can occur if the access token is missing the following requirement: The token does not have the required Microsoft Graph permission for the https://graph.microsoft.com/v1.0 (or beta)/security/xxx entity endpoint being used…

Read More

How to use Microsoft Graph SDK for PowerShell to update a registered Device’s Extension Attribute

Below is a sample PowerShell script showing how to update a registered device’s extension attribute. The sample uses extensionAttriubte3. You can easily swap this out to a different one. Refer to the Update Device documentation for more info. Note: The above device update operation requires the signed in user to be in either the Intune Administrator role or Global Administrator role.

Read More

How to enable MSAL for Java (MSAL4J) logging in a Spring Boot application

In this blog, I’ll show how to enable MSAL4J logging using the logback framework in a spring boot web application. I’ll use our Azure AD B2C web sample here. The complete code for this blog is on github. Refer to the MSAL for Java logging documentation for more info. There are 3 main things you need to do for logging to work 1) Include the logback package in the pom.xml…

Read More

Using AdditionalData property in Microsoft Graph SDK for .Net

The AAD Directory Object classes in Microsoft Graph SDK for .Net have a generic property called ‘AdditionalData’ that can be used to send and receive data in the json payload. In certain scenarios where the regular class members are not available in the SDK we can still set their values via AdditionalData property. An example of this is to create a group that has resourceBehaviorOptions attribute (array of strings) populated…

Read More

Using Microsoft.Identity.Web to request multiple different Azure AD Access Tokens

There are times a web application may need to log in a user and call different backend Azure AD protected web APIs. The web application would need to obtain different Access Tokens, one for each web API. In this post I will attempt to demonstrate how this can be done using MIcrosoft.Identity.Web nuget package. This sample shows how to get tokens for Microsoft Graph resource and a custom web API…

Read More

MSAL.JS SPA client performing Authorization Code Grant flow to ADFS 2019

This blog walks through how to set up MSAL.JS to authenticate directly to ADFS 2019 Server using Authorization Code Grant flow to get an Access Token and then call a Web API with that Access Token. We will go over the following steps to get this the samples working: App Registrations for both the Single Page Application (SPA) client app and the web API app Enable Cross-origin Request Sharing (CORS)…

Read More