Develop Reference

Logic Apps and Configuring Office 365 Email

Configuring a new service connection to Office 365 from the "Send email via Office 365 Outlook" connector in Logic Apps is failing on Save with the following error -
Failing to save logic app . The client has
permission to perform action 'Microsoft/.Logic/workflows/write' on
scope , however, it does not have permission
to perform action 'join/action' on the linked scope
'/providers/microsoft.web/connections/office365'.
If I am asking for the permissions for the second part what role is that? It seems to be something in Office 365.

When you using the Office 365 connecter in the logic app(login your user account to auth successfully), it will create a office365 API connection (i.e. microsoft.web/connections/office365 mentioned in the error) in your resource group.
So to solve the issue, you also need permission at resource group/subscription level, not only at logic app level, just navigate to the resource group/subscription which the logic app located -> Access control (IAM) -> add an RBAC role e.g. Contributor like below.
Update:
For the specific error in your question, the least permission is Microsoft.Web/connections/Join/Action with no doubt, but if you want to do your stuff successfully, the permission I recommend is Microsoft.Web/connections/*, it is small enough, it includes the permissions below, source.
Of course, you can only use Microsoft.Web/connections/Join/Action, but it may raise another permission error, then you need to fix it again, all depend on your requirements.
To create the custom role, follow this doc, in the step 6, use the json like below.
{
"properties": {
"roleName": "LogicAPIConnRole",
"description": "test",
"assignableScopes": [
"/subscriptions/xxxxx"
],
"permissions": [
{
"actions": [
"Microsoft.Web/connections/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
After the creation, assign the role at the office365 API connection scope, it will work fine.

How to request access for Microsoft Graph Explorer?

I want to add Group.ReadAll and Group.ReadWrite.All permissions to Graph Explorer. When I open the permissions and add them I'm told I need admin approval, although these specific permissions do not require approval. I want to add these permissions without taking away existing admin approvals. How do I do this? The pop up does not have an option to ask that and 2018's solution is not working for me! I just cannot move on to permissions request page or anything similar. I do not find Graph Explorer in AAD apps or anywhere. How can I request admin to provide these permissions to Graph Explorer to my account?

In the Microsoft Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer
when you query related to Groups(https://graph.microsoft.com/v1.0/groups), you will get below error which says you don't have access to
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-08-08T11:36:28",
"request-id": "b3bd3b88-a1b2-4a57-9e60-c495daf7f528"
}
In order to have the access, org admin can provide the access by following the below steps:
Login to Graph Explorer.
Select Permission.
Group.Read.All and Group.ReadWrite.All (Below is the screenshot)
Admin will get below screen
Now any users from the org can do group related operations.

Insufficient privileges to write to schema extensions

I've registered a schema extension for users.
I'd like to use it to store data about users after they login to an app, however I cant figure out the permissions. On my (admin) account I'm able to, no problem but on normal user accounts I receive:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2ee94ed5-f351-4992-8db0-2e3b420aa581",
"date": "2017-10-04T09:37:49"
}
}
The reason I'm using a schema extension instead of an open extensions (which does work), is that I need to be able to filter users by their extension. I cant seem to do this with an open extension.
The PATCH request is as follows:
https://graph.microsoft.com/v1.0/me
{
"extkh2zr49b_notifications":{
"badgeCount":"0",
"pushToken":"test",
}
}
And my delegated permissions for the app are:
profile, openid, Directory.AccessAsUser.All, Directory.ReadWrite.All, User.ReadWrite.All

I've concluded its impossible for normal users to edit their schema extensions. I tried granting every available permission.
I ended up using an open extension instead. I was able to return all of members of a group as well as their extensions. This was enough for me (far better than checking every user in the organisation for an extension...)
The query is below:
https://graph.microsoft.com/v1.0/groups/[id]/members/$/microsoft.graph.user?$expand=extensions&$select=id
I couldn't find this in any of Microsoft's official documentation so hopefully it continues to work!

Before a normal user can leverage certain scopes, you first need to provide Admin Consent for those scopes. In your case the scopes Directory.AccessAsUser.All, Directory.ReadWrite.All and User.ReadWrite.All require consent.
You might find this article helpful: v2 Endpoint and Admin Consent.

google app engine cloud resource new project permissions error

I'm currently trying to create a new App Engine project using the endpoint outlined here:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/create
The actual endpoint is https://cloudresourcemanager.googleapis.com/v1beta1/projects
However, when I authenticate via oauth and submit a POST request, I get the following payload:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I have full access to the engine via my Owner role, so I'm not sure what the issue here is?
Does anyone have any ideas?
Many Thanks

you need to make sure you have service account for your application , and you need to make sure that the API is enabled .

On the Cloud Resource Manager page there is a note stating (emphasis mine):
Programmatically create, manage, and delete projects that belong to
your organization. You can also undelete or recover projects that you
didn’t mean to delete. Access to Cloud Resource Manager project
creation is currently invite-only. For an invitation, contact our
sales team.
Did you obtain such invitation? If not then the Owner role you're mentioning is likely not the right one needed for the Cloud Resource Manager operation.

Access Denied in Aure Portral after creating an AD B2C Tenant

I created an AD B2C Tenant in the legacy Azure portal. When I click the link that takes me to the new Azure portal to continue managing my new Tenant I get an "Access Denied" error on the blade, followed by the message:
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Does this have anything to do with the fact that my Microsoft account (that I used to manage Azure) is also tied to Office 360?

elabs - a few questions for you:
when you say your MSA used to manage Azure is tied to your O365 subscription, do you simply mean that you have both an MSA and a AAD account with the same name? what do you mean that your accounts are tied?
What OS are you seeing this issue on?
are you sure your signed in with an MSA or Work Account
How to Find out - from the old portal use CTRL+ALT+A and look at EMAIL Address; You'll see either (Org) or (MSA) at the end.
What is the exact error message and the URL where the error is received. Do you see a correlation ID or Request ID along with the message?
I've tried every avenue possible to reproduced this issue that I know and simply can't get the result you encountered.
Chris