In this video, learn how to add delegated permission, and that app identity only fails in such a call.
- [Instructor] For the concepts between a web application calling Microsoft Graph with app-only identity and one with delegated user identity are about the same. The only thing that really changes is A, what endpoint I'm calling and what permissions I'm calling under. So let's go to Exercise Files and pick up the ending portion of the previous chapter where we successfully wrote a web application that called Microsoft Graph with application-only identity.
So I already have this project open, so I'm simply going to go to that project now. Now let's go to Controllers, and let's call UsersController, and if you go down here, let's look at the URL we were calling. We were calling a certain URL that required application identity. So now what I'm going to do is that I'm going to pick a different URL and a different permission, something that will require delegated user identity.
So in order to do that, I'm actually going to pick a permission that allows me to list the messages in somebody's inbox. So if I go down here, there is an alias called /me/messages, and basically, this allows me to read my email, okay? So the permission that I need for this to work is mail.read.
So I'm going to go into Azure AD and I'm going to grant my application that permission. So as usual, go ahead and sign in to Office 365, go to the admin area, go to the Azure AD area, find your application registration, remember it was a web app, and let's go ahead and grant it the permission to call mail.
I'm going to click Add, select an API, just like before, Microsoft Graph, but since I've already selected it, I'm going to click here. Then I need to add a delegated user permission. So I will look for a permission called Read user email, and I will find it under Delegated permissions. So let's look for it. Read user email, there it is.
So notice that some of these have a Yes next to them and some of them have No next to them. The Yes and No basically means that do I need to be admin to grant that permission? So reading somebody's email is not an admin-level permission so that's why it's at No. It says you are adding permissions to your application. Users will have to consent even if they've already done so previously. That makes sense. You change permissions. The next the user signs in or installs the app, the user will have to say, "Yes, I'm granting the application certain permissions." Let's click Save, and I'm going to click Grant Permissions so the underlying applications are now granted permissions.
So you see now I have one application permission and one delegated permission. Now notice that the URL that I need to call this time is /me/messages. So let me go into my project and make that change to my code. So instead of /users, I'm going to call /me/messages. Now I know this is called UsersController, but I am reading my email. Should I go down and change it to MailController? Yeah, I should, but this is just demo code, so I'll just leave it at UsersController.
Just note that I am trying to read the user's email and not the list of users. Let me do one other thing. Let me set a break point here. The reason I'm setting this break point is that I want to look at what this access token looks like when we actually make this call. With this much in place, let me go ahead and run the project. The application loads as intended. Let's go ahead and sign in.
I'm signed in just like before. Seems to be working. Now I'm going to click on Users. Remember, we're reading mail, bot users, so let's click on this. And looks like we're able to sign in. I'm going to actually steal this access token and I'm going to put this in Notepad because I want to show you something in trusting in that access token in a moment. So let me go ahead and save this access token in Notepad. Let's go ahead and run this in debug mode.
It's trying to call it and it says Bad Request. Hmm, what happened? Well, you see that the request actually failed, right? Well, what's going on? Well, let me show you. Let's go to jwt.io. And there are numerous other ways to decode this access token, but this is pretty convenient. So let's just go down here and paste this access token, and let's look at the decrypted version of this access token.
I don't see a user's identity in this access token. That's the problem. I'm trying to do something that requires a user's identity but I don't see like a UPM claim or anything like that that tells the server who is the user sending this request and that is the issue. Let's fix that.
- What is Microsoft Graph?
- Registering a web application in Azure AD
- Adding authentication logic and authentication UI
- Native applications calling Graph
- Reviewing scenarios where web apps involving Graph are useful
- Web applications with application identity and delegated identity calling Graph
- Daemons calling Graph