I am trying to create Subject Request (for privacy/compliance).
I am using a MS OAuth app to generate a token with scope = SubjectRightsRequest.ReadWrite.All,
I am able to generate the OAuth token and GET list of all subject requests
GET https://graph.microsoft.com/v1.0/privacy/subjectRightsRequests
Content-Type: application/json
200 OK
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#privacy/subjectRightsRequests",
"value": []
}
But getting 403 and message=UnkownError when creating a Subject Request
Example Request:
POST https://graph.microsoft.com/v1.0/privacy/subjectRightsRequests
Content-Type: application/json
{
"type": "delete",
"dataSubjectType": "currentEmployee",
"regulations": ["CCPA"],
"displayName": "TestDSR",
"description": "DSR for test#suhail.lol",
"internalDueDateTime": "2022-05-31T00:00:00Z",
"dataSubject": {
"#odata.type": "#microsoft.graph.dataSubject",
"firstName": "Test",
"lastName": "User",
"email": "test#suhail.lol",
"residency": "CA"
}
}
Response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2022-04-30T01:00:09",
"request-id": "bb30c902-c8b9-4688-80e5-23c2272a77fb",
"client-request-id": "bb30c902-c8b9-4688-80e5-23c2272a77fb"
}
}
}
My OAuth token response even has granted permissions for SubjectRightsRequest.ReadWrite.All
OAUTH Token Generation
I created the token by:
Create OAuth app Azure Active Directory > App Registrations
a. Get <OAUTH_CLIENT_ID>, <OAUTH_CLIENT_SECRET> and
<OAUTH_REDIRECT_URL>
Then make the OAUTH use
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=<OAUTH_CLIENT_ID>
&response_type=code
&redirect_uri=<OAUTH_REDIRECT_URL>
&response_mode=query
&scope=SubjectRightsRequest.ReadWrite.All
&state=12345
Redirected to Login page. Login with Admin Account of Office 365 account
Redirected to <OAUTH_REDIRECT_URL>?code=<OAUTH_CODE>&state=12345
Exchange Token
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Request body
grant_type=authorization_code
code=<OAUTH_CODE>
redirect_uri=<OAUTH_REDIRECT_URL>
client_id=<OAUTH_CLIENT_ID>
client_secret=<OAUTH_CLIENT_SECRET>
I tried to reproduce the same in Microsoft Graph Explorer. I have granted SubjectRightsRequest.Read.All and SubjectRightsRequest.ReadWrite.All permissions.
At first, I tried to get the list of all subject requests and got the response below:
Now, I tried to create delete request type for subjectRightsRequest by posting query like below and got same error:
As mentioned by #user2250152, creating delete request type for subjectRightsRequest is currently may not be supported.
To resolve the above error, try to raise the support ticket to Microsoft.
Related
What is the recommended architecture using Microsoft Azure AD to implement delayed mail sending on behalf of a user in a React frontend and Python backend?
I want the user to connect to their Microsoft account in the frontend and obtain the necessary tokens in my backend for subsequent use in sending emails on behalf of the user.
Should I use OAuth 2.0 or OpenID Connect for the user authentication in my frontend?
I am currently using MSAL in my frontend to allow the user to connect to their Microsoft account, but I am unable to obtain a refresh token in my backend. I have set my frontend as an SPA and my backend as a web application in Azure AD, but I am not sure if this is the correct configuration. Are there any best practices or recommended approaches to achieve this?
Progress shareing:
prog 1:
I obtained an authorization code in my frontend by following the instructions on this page:
https://learn.microsoft.com/en-us/azure/energy-data-services/how-to-generate-refresh-token#get-authorization.
I then sent this authorization code to my backend to obtain a refresh token, but I am encountering an error that says 'AADSTS9002313: Invalid request. Request is malformed or invalid.'
I suspect that the error is caused by the fact that I'm using different uri's in my frontend and backend. If this is the case, how can I pass the information needed to get the refresh token to my backend?
[Both endpoints included in web urls in Azure AD]
prog 2:
I have obtained an access_token using this method, but I am unable to obtain a refresh token. While the "client_credentials" grant_type works, the "authorization_code" grant_type is not working for me. I am unsure whether the issue lies with Azure AD or if I am not sending the correct body parameters.
prog 3:
Successfully obtain both an access token and a refresh token.
prog 4:
failed to send mail:
"{'error': {'code': 'ErrorAccessDenied', 'message': 'Access is denied. Check credentials and try again.'}}"
prog 5:
Email sent but the sender is user-id#outlook.com instead of user-email#domain.xx
Note that: If you want send mail on behalf of a user client_credentials flow. Use Authorization code flow for user interaction.
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added Application permission:
I generated access token using Client Credentials by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
To send mail, I used below query:
POST https://graph.microsoft.com/v1.0/users/FromAddress/sendMail
{
"message": {
"subject": "hi",
"body": {
"contentType": "Text",
"content": "how are you"
},
"toRecipients": [
{
"emailAddress": {
"address": "****"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "****"
}
]
},
"saveToSentItems": "false"
}
As mentioned by you, using Authorization code is not working.
I created an Azure AD Application and added Delegated permissions:
I generated auth-code using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=mail.send offline_access
&state=12345
Now, I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:ClientID
scope:mail.send offline_access
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
To send mail, I used below query:
POST https://graph.microsoft.com/v1.0/me/sendMail
{
"message": {
"subject": "hi",
"body": {
"contentType": "Text",
"content": "how are you"
},
"toRecipients": [
{
"emailAddress": {
"address": "****"
}
}
],
"ccRecipients": [
{
"emailAddress": {
"address": "****"
}
]
},
"saveToSentItems": "false"
}
Reference:
user: sendMail - Microsoft Graph v1.0 | Microsoft Learn
I try to call this API -> https://graph.microsoft.com/v1.0/me/chats
I'm also passed Authorization Bearer token in header but i got below error
{
"error": {
"code": "Forbidden",
"message": "No authorization information present on the request.",
"innerError": {
"date": "2023-01-12T09:37:45",
"request-id": "1975336f-42b0-49a1-8110-a1092f07c130",
"client-request-id": "1975336f-42b0-49a1-8110-a1092f07c130"
}
}
}
I have use this scopes to generate token
user.read Mail.Send Mail.Read Mail.ReadBasic Mail.ReadWrite GroupMember.Read.All Group.Read.All Directory.Read.All Group.ReadWrite.All Directory.ReadWrite.All Chat.ReadBasic Chat.Read Chat.ReadWrite openid profile offline_access
I have use this endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token for acquire token
By using generated token I'm able to send mail , receive mail and etc but not able to call /chats api and other microsoft teams api
What should i do to get successful response from https://graph.microsoft.com/v1.0/me/chats API.
I got this scope in token authorized response
enter image description here
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and added API permission:
I generated the access token using Authorization Code Flow.
Generated Access token using below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/Chat.ReadWrite
&state=12345
I generated the access token by using below parameters:
GET https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/Chat.ReadWrite
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
To get the chat, I used the below query:
https://graph.microsoft.com/v1.0/me/chats
If still the issue persists, check if the licenses are assigned to the user.
Reference:
Get chat - Microsoft Graph v1.0 | Microsoft Learn
I'm trying to fetch the user's profile photo using https://graph.microsoft.com/v1.0/me/photo/$value endpoint and by following these instructions. In our React app we're using react-adal, so I first got an access token using adalGetToken(authContext, "https://graph.microsoft.com/") and then made the call with
axios.get("https://graph.microsoft.com/v1.0/me/photo/$value", {
headers: {
Authorization: `Bearer ${token}`,
},
})
However, the response is
{
"error": {
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood.",
"innerError": {
"request-id": "d2ed76f0-7f35-4014-bc53-xxxxxxxxxxxx",
"date": "2020-05-29T09:27:12"
}
}
}
When I make a call to https://graph.microsoft.com/v1.0/me using the same token, I get a proper response, eg
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "<id>",
...
}
In Azure Portal I have delegated User.Read permissions for the application: Image of the permissions
What could be the problem?
You are validating the token by calling a different endpoint locally (v1.0/me) than your app is calling (v1.0/me/photo/$value).
You can manually validate access tokens using tools like https://jwt.io/ and https://jwt.ms/
Per the comment by #sruthi-j-msft-identity, v1.0/me/photo is not available for personal accounts. Try using beta/me/photo/$value in your React app if you are working with personal accounts. ref: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-beta#permissions
The beta API contains preview features and should not be used for production systems.
I would like to see full information on my users in the AD (users in groups, etc...)
I already have an application that signs in to AD and then I get a bearer token that has access to my azure blockchain workbench API and everything works fine.
The workbench API has a users endpoint but the information is limited, it has first name, last name, email etc... and I would like to know more.
When trying to call the https://graph.microsoft.com/v1.0/me endpoint with the bearer token that I already have it is invalid and I get:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
},
"requestId": "47322d1e-24d5-4170-ace5-947a8725ec1c",
"date": "2019-03-13T08:14:37"
}
}
I also tried a different approach. I have a service principal and gave this service principal an windows active directory basic info on users privilege. I also gave it a Microsoft Graph privilege and also a privilege to mu blockchain app (not sure if I need to).
I call https://login.microsoftonline.com/{{tenant-id}}/oauth2/token with the client credentials body and I get a bearer token. Now with this bearer token I get:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2a7febaa-a6db-4770-a323-1971fa0bf863",
"date": "2019-03-17T13:54:57"
}
}
}
Access token needs to be acquired for Microsoft Graph API as the resource.
In first approach, token that you already have for workbench api will not work for Microsoft Graph because that token is meant for Workbench API.. you can check this by looking at aud claim for that token. You can decode the token using https://jwt.ms
In second approach, token should work, as long as you specified the resource you're acquiring token for is https://graph.microsoft.com and not workbench API. If you still face issues, share the code you're using to acquire token or the decoded token itself (minus any sensitive info)
I want to store my json object to google drive.
And google authentication is working fine.
But when I am calling google drive api, it returns 401 error.
I set authentication, content-type, and content-length to api headers.
Not sure why this happen.
401: Invalid Credentials
Invalid authorization header. The access token you're using is either expired or invalid.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization",
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Suggested action: Refresh the access token using the long-lived refresh token. If this fails, direct the user through the OAuth flow, as described in Authorizing Your App with Google Drive.