"User account does not exist in organization" when using Microsoft Graph API

Question

I have validated that my user is in the directory associated with this tenant id, as well as added as a user to the registered application associated with this clientid and I still get the following error:

'AuthenticationRequiredError: invalid_request: 700056 - [2023-12-10 22:03:29Z]: AADSTS700056: User account does not exist in organization.

import {UsernamePasswordCredential} from '@azure/identity';
import {TokenCredentialAuthenticationProvider} from '@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials/index.js';
import { Client } from '@microsoft/microsoft-graph-client';

const credential = new UsernamePasswordCredential(
    '9d1d3c46-2270-4b75-9647-04a2e0f4995e',
    '9fbaff4b-0387-4695-ae25-2da4bbceed76',
    '[email protected]',
    '*******'
  );
  
  // @microsoft/microsoft-graph-client/authProviders/azureTokenCredentials
  const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: ['User.Read'],
  });
  
 const graphClient = Client.initWithMiddleware({ authProvider: authProvider });



const calendar = {
    name: 'test'
};

await graphClient.api('/me/calendars').post(calendar);

Answer 1

Note that: ROPC flow doesn't allow support personal accounts. The personal accounts which are invited cannot use ROPC flow. Refer this MsDoc . Only work accounts are supported.

I generated access token via ROPC via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

grant_type:password
scope:user.read
username:[email protected]
password:***
client_id:ClientID

To resolve the issue, either make use of work/school account or switch the authentication flow and make use of Authorization code flow.

To fetch the calendar details, create an Azure AD application and grant Calendars.Read API permission:

Generate auth-code by using below endpoint:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=Calendars.Read
&state=12345

Now generate access token by using below parameters:

I am able to fetch the calendar details successfully:

https://graph.microsoft.com/v1.0/me/calendar

You can make use of below c# code:

using Azure.Identity;
using Microsoft.Graph;

var scopes = new[] { "Calendars.Read" };
var tenantId = "common";
var clientId = "ClientID";
var clientSecret = "ClientSecret";
var authorizationCode = "code";

var options = new AuthorizationCodeCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};

var authCodeCredential = new AuthorizationCodeCredential(
    tenantId, clientId, clientSecret, authorizationCode, options);

var graphClient = new GraphServiceClient(authCodeCredential, scopes);
var result = await graphClient.Me.Calendar.GetAsync();

Console.WriteLine(result);

Reference:

Get calendar - Microsoft Graph v1.0 | Microsoft

Answer 2

After realizing that ROPC flow would never work for my account type, I adopted the authorization code flow as follows.

First I got the authorization code using the following:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?&client_id=fbc9f4f3-88ba-4db4-b931-67fa00cfee73&response_type=code&redirect_uri=https://jwt.ms&scope=Calendars.Read&state=12345

Then I ran the following code with that auth code:

import { AuthorizationCodeCredential } from "@azure/identity";
import { TokenCredentialAuthenticationProvider } from "@microsoft/microsoft- 
graph-client/authProviders/azureTokenCredentials/index.js"
import { Client } from '@microsoft/microsoft-graph-client';

const credential = new AuthorizationCodeCredential(
'common',
'fbc9f4f3-88ba-4db4-b931-67fa00cfee73',
'****~Q3hJRe5Liuo6wDs83Lw_Opo5ne5ad85afF',
'M.C104_BL2.2.873f4e8e-f1ab-f454-f00a-bf3ea97fb348&state=12345',
'https://jwt.ms',
 );

  // @microsoft/microsoft-graph-client/authProviders/azureTokenCredentials
 const authProvider = new TokenCredentialAuthenticationProvider(credential, {
scopes: ['Calendars.Read'],
 });

  const graphClient = Client.initWithMiddleware({ authProvider: authProvider });

  const calendar = {
name: 'test'
};

 await graphClient.api('/me/calendars').post(calendar);

This cause the following error: "AuthenticationRequiredError: invalid_grant: 70000 - [2023-12-14 05:17:27Z]: AADSTS70000: The provided value for the 'code' parameter is not valid. Trace ID: 2c881645-e511-4756-922c-0d52d1771001 Correlation ID: 65b6a746-3197-4f9b-bb78-80fed6b2a2f3 Timestamp: 2023-12-14 05:17:27Z - Correlation ID: 65b6a746-3197-4f9b-bb78-80fed6b2a2f3 - Trace ID: 2c881645-e511-4756-922c-0d52d1771001"

I've managed to get it to work, after realizing I was passing the auth code with the state query param at the end. I now get the following error:

'AuthenticationRequiredError: invalid_grant: 70000 - [2023-12-14 14:36:37Z]: AADSTS70000: The request was denied because one or more scopes requested are unauthorized or expired. The user must first sign in and grant the client application access to the requested scope. Trace ID: 8b086326-7e1d-4a4e-96d5-cbc935f54900 Correlation ID: 6cdf9f0b-affe-4443-8a71-7d5b78f7d18b Timestamp: 2023-12-14 14:36:37Z - Correlation ID: 6cdf9f0b-affe-4443-8a71-7d5b78f7d18b - Trace ID: 8b086326-7e1d-4a4e-96d5-cbc935f54900'

My app registration permissions are as follows:

I've changed up the code a little and get the following: