cancel
Showing results for 
Search instead for 
Did you mean: 

REST GET API + OAuth2 to call Microsoft Graph when no native Snap is available

sghneim
New Contributor

Is there any specific documentation on how to call Micrsoft graph API’s using the REST GET snaps with an OAUTH2 Account. i have been trying to authorize the account and so far no luck with that. I keep getting “http_status_code”: 500 which is very generic and doesnt tell us much. I am able to hit the API and get a token from postman with no issues.

3 REPLIES 3

ddellsperger
Moderator
Moderator

The biggest issue you’ll deal with when it comes to OAuth2 with Microsoft Graph is making sure you have the appropriate client id/client secret, the appropriate authentication type, and ensuring the authorization endpoint and token endpoint are correct. Their documentation (though somewhat well hidden when it comes to searching for it) provides example URLs for authorization and token endpoints. Auth Endpoint is typically like this: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize (Where the Tenant is the tenant id from your internally created azure portal application) and token endpoint is typically like this: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.

You’ll need to provide scopes in your token endpoint config with the key being scope and value being a space-separated list of scopes as documented for the endpoint you’re using (your application will need to have them specified as either delegated (for the authorization_code grant type) or application (for the client_credentials grant type).

You can look through some of our other Microsoft Snap Packs (Teams, One Drive, or Exchange Online) to get a better idea of setup, the OAuth accounts for those are pretty similar to the REST OAuth2 account configuration, just some handy things to make final configuration a little bit easier.

sghneim
New Contributor

Thank you for your response, couple things that we found along the way.

  1. in order to authorize i had to remove the /v2.0 from both auth endpoint and token endpoint. this doesn’t make sense because we do see these endpoints in azure .
  2. even after i get the access token if i try to get the users entity or groups i am getting an error in the pipeline. “Failure: HTTP Response Code:401; Response Message: Access token validation failure. Invalid audience., Reason: InvalidAuthenticationToken, Resolution: Check your refresh token, access token, and account settings.”
  3. is there a way to capture the access token information from the Rest get???

It looks like you might be using an API that’s not a part of the Microsoft Graph API selection, but for authorization, it might be helpful to run through this document from Microsoft on the v2 auth service, there’s a step in there for providing admin consent (which might be required with a client_credentials workflow) and you’d then have to register a redirect_uri (you could use localhost as that URL would redirect within your browser itself). All of these messages, like “InvalidAuthenticationToken” and “Access token validation failure. Invalid audience.” are coming from the response from microsoft directly, so it specifically doesn’t like something about your access token. One option would be to use postman or another tool to try out exactly the steps that you need to do, we don’t expose access tokens for security reasons, but you COULD make simply a REST POST that gets an access token back from the endpoint (without an account) since this is client_credentials oauth. There’s also a stackoverflow post that points out the full entire scope to use, that might also be an issue.