Closed Jnchi closed 5 years ago
1) https://{{host}}/{{tenant}}/oauth2/devicecode
scope
to Directory.Read.All
2) https://{{host}}/common/oauth2/token
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1553527201",
"not_before": "1553523301",
"resource": "https://graph.microsoft.com",
"access_token": "[ . . . REDACTED . . . ]",
"refresh_token": "[ . . . REDACTED . . . ]",
"id_token": "[ . . . REDACTED . . . ]"
}
NOTE: The scope
returned in the response is "User.Read"
3) https://graph.microsoft.com/v1.0/me/checkMemberGroups
POST
body:
{
"groupIds": [
"1777d0f5-b4e2-46fc-8dbf-f46f0d472663"
]
}
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "a760cc57-209d-40c0-ad21-96b9be1166a2",
"date": "2019-03-25T16:13:18"
}
}
}
Resources:
Issue created: https://github.com/MicrosoftDocs/azure-docs/issues/27943
Update
See: https://github.com/MicrosoftDocs/azure-docs/issues/27943#issuecomment-480267618
If your app is acting on behalf of a user (delegated permissions), that user will likely need to be a member of an appropriate administrator role for your app to successfully call many of the Azure AD APIs. --https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-overview?view=graph-rest-1.0#authorization
pamtester sshd jnchi authenticate
An email with a one-time passcode was sent to your email.
Enter the code at https://aka.ms/devicelogin, then press enter.
post_body: {"groupIds":["[ . . . REDACTED . . . ]"]}"
json_loads() failed: '[' or '{' expected near 'HTTP'
json_data: (null)
pamtester: Authentication failure
See also: #18
Depends on: https://github.com/CyberNinjas/libnss_aad/issues/2
NOTE: requires delegated permission, "Directory.Read.All", in Azure Active Directory.