In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('onpremuser@onpremdomain.com')/messages/) using graph api it fails by providing UnknownError.
When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token". To get rid of 'V1S2SAppOnly' error i went and added V1S2SAppOnly uner appsettings of web.config file present at C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rest\web.config
<add key="OAuthHttpModule.Profiles" value="S2SAppActAs|S2SAppOnly|V1AppActAs|V1AppOnly|Callback|V1S2SActAs|V1S2SAppOnly|CallbackV2" />
After this the error was gone and now i am seeing new error like below in IIS log
HeaderName="x-ms-diagnostics", HeaderValue="2000008;reason="The token should have valid permissions or linked account associated with partner application '00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"", Replace="false". But however decoded token (jwt.io) has roles.
{
"aud": "https://graph.microsoft.com/",
"iss": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
"iat": 1552900163,
"nbf": 1552900163,
"exp": 1552904063,
"aio": "42JgYHhwRC7Jf9HECQFuBmlfT+t0AgA=",
"app_displayname": "newtestapp",
"appid": "fb461318-f95f-474f-9451-ad6b9952a5fe",
"appidacr": "2",
"idp": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
"oid": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"roles": [
"Mail.ReadWrite",
"Mail.Read",
"Mail.Send"
],
"sub": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"tid": "ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",
"uti": "XLiJVT7T8Eir7FsLkkvWAA",
"ver": "1.0",
"xms_tcdt": 1550570031
}
Observations :
1. Everything works perfectly for cloud users
2. If ROPC or Authorization code auth flow is used i am able to retrieve that user's mail.
How to make Graph API calls (/messages) work for on prem with client credentials Oauth flow ?
When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token". To get rid of 'V1S2SAppOnly' error i went and added V1S2SAppOnly uner appsettings of web.config file present at C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rest\web.config
<add key="OAuthHttpModule.Profiles" value="S2SAppActAs|S2SAppOnly|V1AppActAs|V1AppOnly|Callback|V1S2SActAs|V1S2SAppOnly|CallbackV2" />
After this the error was gone and now i am seeing new error like below in IIS log
HeaderName="x-ms-diagnostics", HeaderValue="2000008;reason="The token should have valid permissions or linked account associated with partner application '00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"", Replace="false". But however decoded token (jwt.io) has roles.
{
"aud": "https://graph.microsoft.com/",
"iss": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
"iat": 1552900163,
"nbf": 1552900163,
"exp": 1552904063,
"aio": "42JgYHhwRC7Jf9HECQFuBmlfT+t0AgA=",
"app_displayname": "newtestapp",
"appid": "fb461318-f95f-474f-9451-ad6b9952a5fe",
"appidacr": "2",
"idp": "https://sts.windows.net/ea6064aa-d6fc-48d3-abb8-1728e1f39e0b/",
"oid": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"roles": [
"Mail.ReadWrite",
"Mail.Read",
"Mail.Send"
],
"sub": "301eb6c0-478a-407c-9493-7fa40c4cf9bc",
"tid": "ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",
"uti": "XLiJVT7T8Eir7FsLkkvWAA",
"ver": "1.0",
"xms_tcdt": 1550570031
}
Observations :
1. Everything works perfectly for cloud users
2. If ROPC or Authorization code auth flow is used i am able to retrieve that user's mail.
How to make Graph API calls (/messages) work for on prem with client credentials Oauth flow ?