Azure - "User account does not exist in organization" when using Microsoft Graph API

Jordan
December 30, 2023
221 views
0 votes
2 Answers

I have validated that my user is in the directory associated with this tenant id, as well as added as a user to the registered application associated with this clientid and I still get the following error:

‘AuthenticationRequiredError: invalid_request: 700056 – [2023-12-10 22:03:29Z]: AADSTS700056: User account does not exist in organization.

import {UsernamePasswordCredential} from '@azure/identity';
import {TokenCredentialAuthenticationProvider} from '@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials/index.js';
import { Client } from '@microsoft/microsoft-graph-client';

const credential = new UsernamePasswordCredential(
    '9d1d3c46-2270-4b75-9647-04a2e0f4995e',
    '9fbaff4b-0387-4695-ae25-2da4bbceed76',
    '[email protected]',
    '*******'
  );
  
  // @microsoft/microsoft-graph-client/authProviders/azureTokenCredentials
  const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: ['User.Read'],
  });
  
 const graphClient = Client.initWithMiddleware({ authProvider: authProvider });



const calendar = {
    name: 'test'
};

await graphClient.api('/me/calendars').post(calendar);

Answers

Chosen as BEST ANSWER
- Jordan
- December 14, 2023 at 2:51 pm
- 0 votes
0
After realizing that ROPC flow would never work for my account type, I adopted the authorization code flow as follows.

First I got the authorization code using the following:
```
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?&client_id=fbc9f4f3-88ba-4db4-b931-67fa00cfee73&response_type=code&redirect_uri=https://jwt.ms&scope=Calendars.Read&state=12345
```
Then I ran the following code with that auth code:
```
import { AuthorizationCodeCredential } from "@azure/identity";
import { TokenCredentialAuthenticationProvider } from "@microsoft/microsoft- 
graph-client/authProviders/azureTokenCredentials/index.js"
import { Client } from '@microsoft/microsoft-graph-client';

const credential = new AuthorizationCodeCredential(
'common',
'fbc9f4f3-88ba-4db4-b931-67fa00cfee73',
'****~Q3hJRe5Liuo6wDs83Lw_Opo5ne5ad85afF',
'M.C104_BL2.2.873f4e8e-f1ab-f454-f00a-bf3ea97fb348&state=12345',
'https://jwt.ms',
 );

  // @microsoft/microsoft-graph-client/authProviders/azureTokenCredentials
 const authProvider = new TokenCredentialAuthenticationProvider(credential, {
scopes: ['Calendars.Read'],
 });

  const graphClient = Client.initWithMiddleware({ authProvider: authProvider });

  const calendar = {
name: 'test'
};

 await graphClient.api('/me/calendars').post(calendar);
```
This cause the following error: "AuthenticationRequiredError: invalid_grant: 70000 - [2023-12-14 05:17:27Z]: AADSTS70000: The provided value for the 'code' parameter is not valid. Trace ID: 2c881645-e511-4756-922c-0d52d1771001 Correlation ID: 65b6a746-3197-4f9b-bb78-80fed6b2a2f3 Timestamp: 2023-12-14 05:17:27Z - Correlation ID: 65b6a746-3197-4f9b-bb78-80fed6b2a2f3 - Trace ID: 2c881645-e511-4756-922c-0d52d1771001"

I've managed to get it to work, after realizing I was passing the auth code with the state query param at the end. I now get the following error:

'AuthenticationRequiredError: invalid_grant: 70000 - [2023-12-14 14:36:37Z]: AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope. Trace ID: 8b086326-7e1d-4a4e-96d5-cbc935f54900 Correlation ID: 6cdf9f0b-affe-4443-8a71-7d5b78f7d18b Timestamp: 2023-12-14 14:36:37Z - Correlation ID: 6cdf9f0b-affe-4443-8a71-7d5b78f7d18b - Trace ID: 8b086326-7e1d-4a4e-96d5-cbc935f54900'

My app registration permissions are as follows:

I've changed up the code a little and get the following:

(Edit)

- Rukmini
- December 12, 2023 at 8:42 am
- 0 votes
0
Note that: ROPC flow doesn’t allow support personal accounts. The personal accounts which are invited cannot use ROPC flow. Refer this MsDoc . Only work accounts are supported.

I generated access token via ROPC via Postman:
```
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

grant_type:password
scope:user.read
username:[email protected]
password:***
client_id:ClientID
```
To resolve the issue, either make use of work/school account or switch the authentication flow and make use of Authorization code flow.

To fetch the calendar details, create an Azure AD application and grant Calendars.Read API permission:

Generate auth-code by using below endpoint:
```
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=Calendars.Read
&state=12345
```
Now generate access token by using below parameters:

I am able to fetch the calendar details successfully:
```
https://graph.microsoft.com/v1.0/me/calendar
```
You can make use of below c# code:
```
using Azure.Identity;
using Microsoft.Graph;

var scopes = new[] { "Calendars.Read" };
var tenantId = "common";
var clientId = "ClientID";
var clientSecret = "ClientSecret";
var authorizationCode = "code";

var options = new AuthorizationCodeCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};

var authCodeCredential = new AuthorizationCodeCredential(
    tenantId, clientId, clientSecret, authorizationCode, options);

var graphClient = new GraphServiceClient(authCodeCredential, scopes);
var result = await graphClient.Me.Calendar.GetAsync();

Console.WriteLine(result);
```
Reference:

Get calendar – Microsoft Graph v1.0 | Microsoft
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Azure – "User account does not exist in organization" when using Microsoft Graph API

Answers