[Client bug]: Getting "The user is unauthenticated." when creating a new EmailAuthenticationMethod

[quinterojose]

Describe the bug
I'm unable to create a new EmailAuthenticationMethod for a User. I keep getting Microsoft.Graph.Models.ODataErrors.ODataError with Message = "The user is unauthenticated." and Error.Code = "unauthenticated".

To Reproduce
Run example provided in docs at https://learn.microsoft.com/en-us/graph/api/authentication-post-emailmethods?view=graph-rest-1.0&tabs=csharp

private async Task SetUserAuthenticationMethods(string? userId, string? email)
{
    var requestBody = new EmailAuthenticationMethod
    {
        EmailAddress = email,
    };
    var result = await graphServiceClient.Users[userId].Authentication.EmailMethods.PostAsync(requestBody);
}

Expected behavior
No exception occurs and a new emailAuthenticationMethod is added to the list of authentication methods.

Client version
5.35.0

Desktop (please complete the following information):

• OS: Windows 11
• Browser: Edge

Additional context
I am connecting to Microsoft Graph using an app token (RequestAppToken = true) and ensured I have UserAuthenticationMethod.ReadWrite.All permission granted in the app registration. I am able to perform other actions such as creating the User as well as create AppRoleAssignments in the same application.

If I make a call to the Microsoft Graph API directly using Postman the authentication method is added successfully. The Postman call is authenticated using the same Client Credentials.

I am also able to successfully set the authentication method on the User directly in the Microsoft Entra UI.

[andrueastman]

Thanks for raising this @quinterojose

Any chance you can share the code sample used when instantiating the GraphServiceClient? Also out of curiosity, does doing a change similar to this have any effect on the success of the call? #1969 (comment)

[quinterojose]

The GraphServiceClient is being initialized as follows:

builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApi(builder.Configuration)
    .EnableTokenAcquisitionToCallDownstreamApi()
    .AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftGraphConfig:ClientConfig"))
    .AddInMemoryTokenCaches();

Relevant sections from config file:

{
    "AzureAd": {
        "Instance": "https://xxxxxxxx.ciamlogin.com",
        "ClientId": "00000000-0000-0000-0000-000000000000",
        "TenantId": "00000000-0000-0000-0000-000000000000"
    },
    "MicrosoftGraphConfig": {
        "ClientConfig": {
            "Scopes": "https://graph.microsoft.com/.default",
            "RequestAppToken": true
        }
    }
}

I modified my code to match the samle in #1969 (comment) as follows:

private async Task SetUserAuthenticationMethods(string? userId, string? email)
{
    var emailAuthenticationMethod = new EmailAuthenticationMethod();
    emailAuthenticationMethod.BackingStore.Clear();
    emailAuthenticationMethod.EmailAddress = email;
    await graphServiceClient.Users[userId].Authentication.EmailMethods.PostAsync(emailAuthenticationMethod);
}

I'm still getting the same error:

Microsoft.Graph.Models.ODataErrors.ODataError: The user is unauthenticated.

All other GraphServiceClient operations work fine such as adding, updating and deleting users, getting service principals and app roles, deleting and adding app role assignments, etc.

[quinterojose]

I also tried with Postman using the same client credentials token but I am getting the same response:

POST /v1.0/users/00000000-0000-0000-0000-000000000000/authentication/emailMethods HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLC...
User-Agent: PostmanRuntime/7.36.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 5aa59c2a-a650-4e4e-91ad-119773e121e8
Host: graph.microsoft.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 46
 
{
"emailAddress":"[email protected]"
}
 
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Content-Type: application/json
Content-Encoding: gzip
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: bb8ea1fa-9c59-4cfb-9dca-3bba3396cdf3
client-request-id: bb8ea1fa-9c59-4cfb-9dca-3bba3396cdf3
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"CH01EPF00007316"}}
Date: Thu, 04 Jan 2024 15:01:27 GMT
 
{"error":{"code":"unauthenticated","message":"The user is unauthenticated.","innerError":{"message":"The user is unauthenticated.","date":"2024-01-04T15:01:28","request-id":"bb8ea1fa-9c59-4cfb-9dca-3bba3396cdf3","client-request-id":"bb8ea1fa-9c59-4cfb-9dca-3bba3396cdf3"}}}

I checked the bearer token and the correct scope is being passed:

"roles": [
    "User.ReadWrite.All",
    "UserAuthenticationMethod.ReadWrite.All",
    "Directory.ReadWrite.All",
    "AppRoleAssignment.ReadWrite.All",
    "Application.Read.All"
  ],

[quinterojose]

Any update on this?

[andrueastman]

Apologies for the delayed response @quinterojose

Any chance you can confirm the value of the idtyp and iss properties of the token as well?

[quinterojose]

The values are:

"iss": "https://sts.windows.net/fb968456-6429-4558-9189-979874d57d9d/",
"idtyp": "app",

However, I tried the same call today with Postman and it was successful. The same call with the application succeeded as well.

The only difference in the application is that the initial attempt was using Microsoft.Identity.Web.GraphServiceClient 2.16.0 where today I'm using 2.16.1.

The issue seems to be resolved, however I'm not sure whether updating from 2.16.0 to 2.16.1 resolved the issue or something else since Postman does not use Microsoft.Identity.Web.GraphServiceClient and is going directly to the Graph API.

[andrueastman]

Thanks for getting back @quinterojose

Glad to hear its working now. As you suggest it seems like something may have been fixed from the API end. I don't think it has anything to do with the client versions.
We'll close this for now. Feel free to open a new issue incase of anything else.