Jnchi
commented
5 years ago 1) https://{{host}}/{{tenant}}/oauth2/devicecode
- Set
scopetoDirectory.Read.All
2) https://{{host}}/common/oauth2/token
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1553527201",
"not_before": "1553523301",
"resource": "https://graph.microsoft.com",
"access_token": "[ . . . REDACTED . . . ]",
"refresh_token": "[ . . . REDACTED . . . ]",
"id_token": "[ . . . REDACTED . . . ]"
}NOTE: The scope returned in the response is "User.Read"
3) https://graph.microsoft.com/v1.0/me/checkMemberGroups
POSTbody:{ "groupIds": [ "1777d0f5-b4e2-46fc-8dbf-f46f0d472663" ] }- Response:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "a760cc57-209d-40c0-ad21-96b9be1166a2",
"date": "2019-03-25T16:13:18"
}
}
}Resources:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
- https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Device-Code-Flow
- https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
- https://docs.microsoft.com/en-us/graph/api/user-checkmembergroups?view=graph-rest-1.0
Issue created: https://github.com/MicrosoftDocs/azure-docs/issues/27943
Update
See: https://github.com/MicrosoftDocs/azure-docs/issues/27943#issuecomment-480267618
See also: #18
Depends on: https://github.com/CyberNinjas/libnss_aad/issues/2
NOTE: requires delegated permission, "Directory.Read.All", in Azure Active Directory.