Hey Terry,
Iâm not 100% sure what the underlying issue is, yet, but Iâve only been able to successfully access the Graph /reports endpoint using Reports.Read.All
as a delegated permission. And I tried with both the Azure AD provider type, and also the standard WebAPI > Oauth type. In all cases I was getting the same S2SUnauthorized error message.
I did come across a few bug reports on GitHub for application permissions in this context but no fixes or workarounds.
Note that the PS sample above is using the client_credentials
Oauth flow, not the authorization_code
flow that our Azure AD provider uses, so that test above isnât strictly a like-for-like comparison. That being said, using the WebAPI > Oauth provider with either of those flows gives the same outcome so thereâs likely some additional investigation needed on our side.
That script above can be used with our new PowerShell tiles though, so if app permissions are a must, try using the PS tiles as followsâŚ
Create a profile under System > PowerShell containing
$clientSecret = âclient-secretâ
$clientId = âclient-idâ
$tenantId = âtenant-idâ
$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $clientId
client_secret = $clientSecret
scope = âhttps://graph.microsoft.com/.defaultâ
grant_type = âclient_credentialsâ
}
$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType âapplication/x-www-form-urlencodedâ -Body $body -UseBasicParsing
$token = ($tokenRequest.Content | ConvertFrom-Json).access_token
Then add the last part to the tile of your choice to pull back data.
$uri = âhttps://graph.microsoft.com/beta/reports/getMailboxUsageMailboxCounts(period='D30')?$format=application/jsonâ
$query = Invoke-RestMethod -Method Get -Uri $uri -ContentType âapplication/jsonâ -Headers @{Authorization = âBearer $tokenâ} -ErrorAction Stop
$query
Note youâll likely need to add some additional manipulation to your script to format the contents of $query
in a useful way i.e. to create readable timestamps for line graphs, multiple columns or groupings for grids/donuts etc.
Delegated permissions will solve this for you, but if thatâs not acceptable, PowerShell for the