GraphScope | 🔨 🍇 💻 🚀 GraphScope : A One-Stop Large

After a quick look at your code, I would say that:

1. you are passing a promise to the importSVG function
2. the importSVG function expects to receive a SVG string and your promise will resolve with a PNG image data url

If you want to require AD token from one specific tenant with MSAL.NET, you can tell the SDK from which tenant to obtain the token by mentioning the specific Authority. For more details, please refer to here.

For example

Not quite sure about the context of your application. My code demo is based on this official Angular MSAL demo.

After you have configured this app correctly at src/app/app.module.ts, go to src/profile/profile.component.ts add the function below to get all group names:

This is possible with MS Graph API,

To Get information of users registered with MFA and hasn't, we can use isMfaRegistered property in credentialUserRegistrationDetails .

credentialUserRegistrationDetails help us to get the details of the usage of self-service password reset and multi-factor authentication (MFA) for all registered users. Details include user information, status of registration, and the authentication method used. This is possible programmatically with MS Graph where you will get a JSON reports an can be plugged into other reports or can be represented programmatically itself

Example:

Try the following custom interceptor. For this you need to enable the sid optional claim.

For this problem it seems you do not have permission to get the users. You can refer to the document of the graph api, you need the permission shown as below:

So please go to the application which registered in your azure ad, and click "API permissions", then add the permission into it.

After add the permissions, please do not forget click "Grand admin consent for xxx".

For the question why it still failed when you change the Users to me. You use client credential flow to do authentication to request the graph api, you just provide the information of clientId, tenantId and clientSecret. So it doesn't contain a user(or yourself) information. So you can't use .Me. If you want to use .Me, you can use password grant flow. It contains the user information, so system know who is .Me.

================================Update==============================

If you want to use delegated permission(such as User.ReadBasic.All), you can't use client_credential. Now your code use client_credential flow, the access token doesn't contain user identity. I provide a sample of username/password flow(and use delegated permission User.ReadBasic.All) below for your referencef:

In the "API permissions" tab of the registered app, I just add one permission User.ReadBasic.All.

The code shown as below:

This error is usually caused by an incompatibility between your app registration and the authentication library you are using.

The code in that sample is using the Microsoft Authentication Library (MSAL), which uses the Azure V2 OAuth endpoints, which supports converged auth (both Azure AD accounts and Microsoft accounts). In order for the v2 auth endpoints to work, your app registration MUST come from https://apps.dev.microsoft.com.

If you register your app on the Azure portal (https://portal.azure.com), you'll see this error. That's because the Azure portal registers the app using the Azure v1 OAuth schema.

There is also a case where the https://apps.dev.microsoft.com portal can create a v1 registration. If you login to that portal and you see more than one grouping of apps, with multiple "Add an app" buttons, you need to choose the "Add an app" button for Converged Apps.

Not much of an answer, but too long to put in a comment:

That sample changed recently to use the new OfficeRuntime.auth.getAccessToken. You seem to be using an older version that uses Office.auth.getAccessTokenAsync. That should still work, but it was a preview API and may stop working at some point. Consider cloning the newer version. But wait a few days. I'm about to push some fixes to the new version.

Check to see if you've also added the new scopes to the graphScopes array in the Login action method. (In addition to adding them to the Authorize action method as you've already done.)

Exactly which HTTP call is returning the "Unauthorized"?

What error is being retuned from getAccessToken (or getAccessTokenAsync)? It usually has a 13xxx number.

UPDATE 12/19/19:

Based on your description in your comment "To clarify...", it looks like you are including the token that you get from getAccessToken in your call to MS Graph. This will not work. That token is a "bootstrap token". It gives Office access to your add-in's web app. The web app then needs to use the On Behalf Of Flow to swap that token for a token that gives the web app access to MS Graph. You then include this second token as the Authorization header in the call to Graph. The sample that you linked to in the first sentence of your question does that. Please also see these articles:

Enable SSO in Office Add-ins

Authorize to Microsoft Graph

Finally, be sure that there is a blank space between the string "Bearer" and the token in the Authorization header.

Unfortunately, the ImplicitMSALAuthenticationProvider is not exported explicitly. To work around this you need to explicitly import the class: