Graph API Office 365 usage report - Forbidden

问题

I try to use Office 365 usage reports in Graph API. I would like for example export the EmailActivity report with the request GET /reports/EmailActivity(view=view-value, period=period-value, date=date-value)/content

When I try the example https://graph.microsoft.com/beta/reports/EmailActivity(view='Detail',period='D7')/content in Graph Explorer I have the following error

Failure - Status Code 403705msLooks like you may not have the permissions for this call. Please modify your permissions.

{
    "error": {
        "code": "Forbidden",
        "message": "Invalid scope claims/roles.",
        "innerError": {
            "request-id": "f1f89dcf-b2df-4537-a4ad-f07ccfff2899",
            "date": "2017-07-05T17:01:23"
        }
    }
}

I don't uderstand because I looging like an admin of Office 365 I have add almost all the permision. What I had miss ?

Edit : More details, I use Graph Explorer, when I click to grant access

I have th confirmation

I've the admin right

I try my request in graph explorer

And I have my error

I don't know what I could do be better.

回答1:

According to Get EmailActivity report document , read that report needs Reports.Read.All permission . And according to Reports permissions of microsoft graph api, Reports.Read.All is application permissionwhich allows an app to read all service usage reports without a signed-in user. To call that api , you need to use client credential flow to acquire token with app identity :

1. Add Read all usage reports application permission of microsoft graph in your azure ad application :

2. Grant that application permission by clicking Grant Permissions button in above screenshot with admin account of your AAD .

3. Using client credential flow to acquire access token for microsoft graph :

   POST https://login.microsoftonline.com/chencl.onmicrosoft.com/oauth2/token
   
   grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&resource=https%3A%2F%2Fgraph.microsoft.com%2F
   

   After you get the access token , you could decode the token using online tool, you should find Reports.Read.All in roles claim .

4. Then you could call the EmailActivity api , it returns 302 Found response redirecting to a pre-authenticated download URL for the report:

Please let me know if it helps.

回答2:

If you are using Application Registration Portal to get the token:

1. In Application Registration Portal set the permission that you need, for example Mail.Read and Directory.AccessAsUser.All. Always you need use Directory.AccessAsUser.All if you want get the token
   2. When save Application Registration Portal go to Azure Portal, in Azure Active Directory --> Enterprise applications --> click in you application --> "click in consent permission for username..." --> login --> accept.
   3. Use library as hellojs and get a token.

来源：https://stackoverflow.com/questions/44932155/graph-api-office-365-usage-report-forbidden