Access Microsoft graph resources with an auth0 login

Help
2

Hey @jsorensen.m.
I would say that, overall, you are pretty close. The missing piece is letting Auth0 know that the access token you need from Microsoft should have additional scopes (whatever you need to access through Microsoft’s Graph API).
By default, Auth0 only requests scopes to identify the user, because that’s the only piece it needs. If you need more scopes (e.g. “Files.Read” to access a user’s OneDrive) you’ll have to configure the connection for that.
If you are using the Microsoft Account social connection, you can do so directly from the connection settings:

image
image1122×952 73.4 KB

If you are using Azure AD enterprise connections, the connection setup dialog does not have an option to specify additional scopes, but you can get the same results if you are willing to work with the Management API v2 a bit. The process is described here: Pass Parameters to Identity Providers

You’ll essentially need to PATCH the connection object with an upstream_params entry that looks like this:

PATCH /api/v2/connections/{connection_id}

{
  "options" : {
    [...], //you'll need to put all existing options here, there is no automatic merge
    "upstream_params":{
      "scope": {
        "value":"openid profile email Files.Read"
      }
    }
  }
}

Leave profile email in there to make sure Auth0 gets the user information, and replace Files.Read with the actual scopes you need to request for the Graph API.
It might probably be a good idea to set the Identity API to Microsoft Identity Platform (v2) in the connection settings.

Another option is to add the connection_scope parameter in the /authorize request. This lets you specify the scope dynamically from a specific application instead of hardcoding the values in the connection. If you have multiple applications you’ll need to be careful about this, as the access token is stored always in the same “slot” regardless of which application requested it, so the last login with Azure AD will overwrite whatever was there before.
Finally, take into consideration that if Auth0 sees a session for the user it might not go back to Azure AD to get a new authentication, so the access token stored in the user profile might be expired by the time you retrieve it. You can always force a new authentication with a specific upstream identity provider by using the connection=<connection_name> in the /authorize request.

Sorry for the wall of text, hopefully it points you in the right direction. :+1: