On-Behalf-Of flow: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name'. Send an interactive authorization

[ChuksObi]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

My setup

I have an ASP.NET Core MVC (net5.0) web app configured with Azure AD. I have an ASP.NET Core (net5.0) Web API configured Azure AD.

I login to the client and I obtain the token in the client web app and use it when requesting resources from the Web API through JS, this works fine. I get responses and I can obtain the current user making the request. I used this MS guide active-directory-aspnetcore-webapp-openidconnect-v2. I want to enable communication between the Web API and Microsoft Graph. I have followed part of this Azure sample Web API now calls Microsoft Graph

Any log messages given by the failure

The issue

I have had issues accessing the MS Graph API from my ASP.NET Core API. I have set up everything I think should be as seen in the code, however, I keep getting the error.

InnerException = {"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name. Send an interactive authorization request for this user and resource

Message = IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.

I have granted admin consent in the API permissions section, the app uses delegated permissions, it is an organisational app, users must be on Azure AD to login. I have also added the client Id as a known client applications for service in the app manifest.

Azure permission granted for API

API appsettings
{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "Domain": "--", "TenantId": "--", "ClientId": "--", "ClientSecret": "--" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "DownstreamApi": { "BaseUrl": "https://graph.microsoft.com/v1.0", "Scopes": "user.read presence.read mailboxsettings.read mail.read calendars.read files.readwrite", "DefaultScope": "https://graph.microsoft.com/.default" }, "AllowedHosts": "*", "ConnectionStrings": { "DefaultConnection": "--" } }
Client appSettings
{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "Domain": "--", "TenantId": "--", "ClientId": "--", "ScopeForAccessToken": "--", "ClientSecret": "--" }, "DownstreamApi": { "BaseUrl": "https://graph.microsoft.com/v1.0", "Scopes": "user.read presence.read mailboxsettings.read mail.read calendars.read files.readwrite" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "NASAapi": { "ScopeForAccessToken": "api://guid/scope.name", "ApiBaseAddress": "" }, "AllowedHosts": "*"

API Startup.cs
services.AddMicrosoftIdentityWebApiAuthentication(Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches();
Example Controller

`[Authorize]
[Route("api/[controller]/[action]")]
[RequiredScope("scope.name")]
[ApiController]
public class ExampleController : ControllerBase
{
private readonly GraphServiceClient _graphServiceClient;

public IEnumerable<Message> Messages { get; private set; }

public ExampleController(IHttpContextAccessor httpContextAccessor, GraphServiceClient graphServiceClient)
{
    _graphServiceClient = graphServiceClient;
}

[HttpGet]
public async Task<ActionResult<IEnumerable<DealDto>>> GetDealsWithAccount()
{
    try
    {
        User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
    }
             catch (MsalException ex)
        {
            HttpContext.Response.ContentType = "text/plain";
            HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            await HttpContext.Response.WriteAsync("An authentication error occurred while acquiring a token for downstream API\n" + ex.ErrorCode + "\n" + ex.Message);
        }
        catch (Exception ex)
        {
            if (ex.InnerException is Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException challengeException)
            {
                _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(_graphOptions.Value.Scopes.Split(' '),
                    challengeException.MsalUiRequiredException);
            }
            else
            {
                HttpContext.Response.ContentType = "text/plain";
                HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                await HttpContext.Response.WriteAsync("An error occurred while calling the downstream API\n" + ex.Message);
            }
        }

    return Ok();
}

}`

Expected/desired behavior

It seems the On-Behalf-Of flow is not working as expected. I expect the web api to make the call to the downstream service and obtain the token for graph. Please correct me if I may be wrong.

OS and Version?

Windows 10

Versions

21H2 (OS Build 19044.1826)

Mention any other details that might be useful

stackoverflow link

---

Thanks! We'll be in touch soon.