Graph Api Authentication failed on Creating Subscription for CallRecords with authentification as application

Question

I have problems subscribing to callRecords in customer constellation, there I get response status Forbidden (see at end of post).

I did this steps:

1. register an APp Registration with CallRecords.Read.All and granted admin consent
2. on trying to send the POST-request it worked in none of my coded programms but in Postman it worked with application permission.

It worked with Postman but not Azure Functions (started local) or other coded apps with Aquiring a fitting bearer token. I got Forbidden as Response message if send the Post-request with the token I got from program routines.

                HttpClient client = new HttpClient();
                HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, new Uri("https://login.microsoftonline.com/" + TenantId + "/oauth2/v2.0/token"));

                List<KeyValuePair<string, string>> parameters = new List<KeyValuePair<string, string>>();
                parameters.Add(new KeyValuePair<string, string>("client_id", ClientId));
                parameters.Add(new KeyValuePair<string, string>("scope", "https://graph.microsoft.com/.default"));
                parameters.Add(new KeyValuePair<string, string>("client_secret", ClientSecret));
                parameters.Add(new KeyValuePair<string, string>("grant_type", "client_credentials"));
                request.Content = new FormUrlEncodedContent(parameters);

                HttpResponseMessage response = await client.SendAsync(request);
                string data = await response.Content.ReadAsStringAsync();
                Token = JsonConvert.DeserializeObject<TokenResponse>(data);

Listing 1: Getting Access token

I analysed this token i get with jwt.ms (The ID's and other infos are marked with ***)

  "typ": "JWT",
  "nonce": "***",
  "alg": "RS256",
  "x5t": "l3sQ-50cCH4xBVZLHTGwnSR7680",
  "kid": "l3sQ-50cCH4xBVZLHTGwnSR7680"
}.{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/***/",
  "iat": 1633425547,
  "nbf": 1633425547,
  "exp": 1633429447,
  "aio": "***",
  "app_displayname": "***",
  "appid": "***",
  "appidacr": "1",
  "idp": "https://sts.windows.net/***/",
  "idtyp": "app",
  "oid": "***",
  "rh": "***",
  "sub": "***",
  "tenant_region_scope": "EU",
  "tid": "***",
  "uti": "***",
  "ver": "1.0",
  "wids": [
    "0997a1d0-0d1d-4acb-b408-d5ca73121e90"
  ],
  "xms_tcdt": 1373376639
}.[Signature]

JSON-Info of the token

The difference between that token from code and the token I got from postman-app is SCP : "CallRecords.Read.All"

Then I found out that if i used app Registration with delegate Permission User.read.All works for me if I had an valid user is logged in the regarding tenant, aso creating a callrecord-subscription succeeded. But on the customer side we have only an app registration+secret with permission callrecords.read.all and User.read.all. in the customer case i get every time the token without the permission. And redirection to the postman callback-url is not possible in the tenant.

I read the documentation https://learn.microsoft.com/de-de/graph/sdks/choose-authentication-providers?tabs=CS#client-credentials-provider and corresponding links but I get not the overview what I have to do.

I tried the youtube video https://www.youtube.com/watch?v=Z1xFjmttEvY for logic apps sending this post too it - the steps are similar as customer app registration creation. But it failed too (same errror). I used https://graph.microsoft.com/v1.0/subscriptions with body:

{
    "resource": "/communications/callRecords",
    "changeType": "created",
    "clientState": "clientStateValue",
    "notificationUrl": " working URLendpoint>",
    "expirationDateTime": "2021-09-28T18:58:05.9125505Z",
    "latestSupportedTlsVersion": "v1_2"
}

{
  "error": {
    "code": "ExtensionError",
    "message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: The request is not authorized for this user or application.]",
    "innerError": {
      "date": "2021-10-05T21:47:03",
      "request-id": "aa624900-02bb-4b06-92ba-755889b1f459",
      "client-request-id": "aa624900-02bb-4b06-92ba-755889b1f459"
    }
  }
}

BadRequest. Http request failed as there is an error getting AD OAuth token: 'AADSTS7000112: Application '***'(***-***-***-***-***) is disabled. Trace ID: ***-***-**-***-**Correlation ID: ***-***-***-***-***Timestamp: 2021-10-05 22:58:29Z'.

Update this happened through but it does not harm Postman, it works to. Why is it so and why can I copy this behaviour?

Can please someone tell what I make wrong or what I must do so I can aquire an token as postman does it as requesting as an application?

Answer 1

The permissions you are trying to add required admin consent. When not consented to/granted like in the screenshot below, AAD will ignore the resulting in an access token without the roles claim.

To get the access token to contain the claims make sure two things are well configured.

1. Make sure the permissions are added for the app and consented to / granted by admin for the app an Azure AAD Portal
2. If the application and the users are in different tenants then ensure the application has an service principal in the user's tenant and has the permissions added and consented to.

Answer 2

The posted problem was only created through an unattended revoking of Grant Admin Consent.

So I will excuse for this posting because there was normally no reason. Without ability of seeing/checking the App Registration I could not see the Revoke of Consent.

I am Sorry for this unnecessary work of Respondents.

So generally the answer is correct.