I am developing a multi-tenant web app managing the mail, contacts and calendar of users.
On the AzureAd management portal, I registered my app as multi-tenant and I manage to get OAuth tokens for both people out and inside my tenancy, replacing the tennantId by "common" when querying the Authentication Code and Token endpoints.
Now, I would like to access calendar, mail and contacts info of people who signed in and consented to give permissions to my app.
I started simple, by querying the basic user info of a user inside tenancy like this:
GET https://graph.windows.net/-tennantId-/me?api-version=2013-11-08 or GET https://graph.windows.net/-tennantId-/users/[email protected]?api-version=2013-11-08 {headers: {Authorization: "Bearer -accessToken-"}}
It works!
Now, how can I have access to information of users that are outside my tenancy? I tried
GET https://graph.windows.net/-tennantId-/me?api-version=2013-11-08
GET https://graph.windows.net/-tennantId-/users/[email protected]?api-version=2013-11-08
GET https://graph.windows.net/common/me?api-version=2013-11-08
GET https://graph.windows.net/common/users/[email protected]?api-version=2013-11-08,
I always end-up having a 400 error: {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Invalid domain name in the request url."}}}
Any idea what I am doing wrong?
Ah-ah!
Forget the use of your tenant ID when talking with the Graph API if you develop a multi-tenant app with OAuth!
The equivalent to "common" when requesting a token for a user in or outside your tenancy is... "myorganization"!
This will work:
https://graph.windows.net/myorganisation/me?api-version=2013-11-08
Oh, it was clearly written in the doc, but... but... MICROSOOOOOFT!!!