Office 365 specialist working at Wortell in the Netherlands. When following steps outlined in the documentation at the second link, authentication is successful but exceptions are thrown in the Get and Put methods in TodoListController, reason being is the code samples find the first claim with type " http://schemas.microsoft.com/identity/claims/scope " and is expecting it to have the value "user_impersonation", else it throws an exception. Change ), You are commenting using your Facebook account. Mind you this is the first time I'm trying to authenticate against Azure AD, so I apologize in advance if this is not an issue and the problem is my lack of understanding/knowledge on the subject. It doesn’t use any special frameworks or SDKs to do so, just plain old HTTP calls to resource endpoints, and some TypeScript goodness to provide some type safety around inputs and outputs to and from the API. Change ). We have to use a broader scope for Exchange access rights; Room Impersonation. Today Azure AD does not send scope claims when using the client credentials OAuth flow. By using delegated permissions, the Client will make the call in the user's context.This means the access token will contain information about the user, as well as information about the calling app.The API can then easily filter the data so that only that user's data is returned. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The scope parameter is a space-separated list of delegated permissions that the app is requesting. CustomRecipientScope – The scope of users that the service account can impersonate. But the hardest bit is authenticating since Dynamics 365 Online uses OAuth2.0 as an authentication method, a valid access bearer token issued by Microsoft Azure Active Directory is needed and used in every HTTP requests to the Web API. With Azure AD, API Permissions serve two purposes: They enforce the consent process - this has two layers in Azure Active Directory. Just this one scope, no others are required. The following example shows how to configure a service account to impersonate all users in a scope. Please take the following limitations into account (compared with Room + User Impersonation) when this configuration is applied: The configuration UX is unfortunately misleading because you can set what looks like a scope to be sent, but nothing get sent. This documentation only shows how to ask permissions for the Graph API, but for your custom Web API you should add the following request in the package-solution.json file: The part you need to add is the webApiPermissionRequests part. Learn how to grant the impersonation role to a service account by using the Exchange Management Shell. Here is how our permission could look like: A few things to note: 1. Before assigning your service account the ApplicationImpersonation role, take a moment to update which accounts Robin can impersonate. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller's account. Microsoft Apps and Services MVP. Yup, that strikes again here. This was present for micrsofot graph but I have since deleted that entry. Waldek was also mentioning this issue, but his resolution was not the case in my situation. But for now: hopefully this helps anyone else attempting to work with the Azure Management REST API. Yep I figured that out soon after I filed the issue. http://schemas.microsoft.com/identity/claims/scope. I didn’t. CustomRecipientScope – The scope of users that the service account can impersonate. When you or your Exchanger server administrator assigns the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet: Name – The friendly name of the role assignment. With this option we will only synchronize meetings between Rooms. Each permission is indicated by appending the permission value to the resource's identifier (the Application ID URI). We would like for a consuming app to be able to read the todo items of a user.