1

I'm trying to access the Office365 REST API using the ADAL library but get a 401 (Unauthorized), and can't figure out why. I have registered an application in our Azure AD, got an id, fetched a key for it and given it permissions to read the Windows Azure Active Directory.

I am able to acquire an OAuth token but it won't play with the Office365 API.

Here is one of my unsuccessful attempts:

 AuthenticationContext auth = new AuthenticationContext("https://login.windows.net/" + myTenant); AuthenticationResult authenticationResult = auth.AcquireToken("http://Rest", new ClientCredential(myId, myKey)); HttpClient client = new HttpClient(); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authenticationResult.AccessToken); HttpResponseMessage msg = await client.GetAsync("https://outlook.office365.com/api/v1.0/me/events"); // => Bam. 401. :(

Any ideas?

Improve this question

1 Answer 1

Reset to default
2

The resource ID you're passing to AcquireToken is invalid. That should be "https://outlook.office365.com/". See if that helps. If not, try parsing your token and look for issues: https://github.com/jasonjoh/office365-azure-guides/blob/master/ValidatingYourToken.md

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks! The correct resourseid didnt help, But your token parser shows me that the logged in user tags (upn, unique_name, family_name, given_name) and - possibly worse - the permissions tag (scp:) tag are all missing. Clearly I'm missing somthing here. But what?
You might try using the common OAuth endpoint, "login.windows.net/common" in the constructor of the AuthenticationContext. Also, when you registered your app, did you specify application permissions or delegated permissions? What permissions did you give it altogether?
Jason, sorry for late reply and sorry to bother you with this tedious stuff. Please feel free to ignore me. The common endpoint complained about my app didnt exist. I tried set every single application and delegate permission. Still 401 :(.
Jason. I found this, buried in the http response: "The access token is acquired using an authentication method that is too weak to allow access for this application. Presented auth strength was 1, required is 2". I guess thats the path for me to follow. I'll keep this post updated.
Ok. From that error, it sounds like you're trying to do the client credential auth flow, which requires the auth strength of 2. That requires that you authenticate with a certificate rather than a client secret. Client credential auth flow is more for service apps that require access to all mailboxes in the organization. If you're just trying to access the logged-in user's mailbox, you should use the code grant flow.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.