I'm trying to access sharepoint site lists with MS Graph.
I've got application permissions Sites.Selected admin consent.
The global admin is getting a 403 when doing post to add permission to the specific site in graph explorer
POST https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
I signed up to microsoft 365 developer account and got a sandbox AAD and sharepoint site.
The permissions POST worked for the main account I got when creating the sandbox.
Sites.Selected works fine for my test app.
Now I'm trying to figure out if maybe the global admin is not the person who has access to granting site permissions.
I gave global admin to a user and got a 403 trying to get permissions from the specific site.
I gave sharepoint admin to a user and got 403 trying to get permissions from the specific site.
Would anyone know what role is needed to do the POST (or
GET)
https://graph.microsoft.com/v1.0/sites/{siteId}/permissions
EDIT
Well after paying closer attention to my sandbox global admin...he was indeed missing the permission Sites.FullControll.All in graph explorer.
I saw a checkmark besides it and quickly thought "he's got it already!!" but the checkmark is in the column "Admin consent required", just can't see the column title after scrolling down to sites. It needs to say "Consented".
EDIT2
So the POST to grant permission to read or write only seems to work in the sandbox. This was brought up to Microsoft and they didn't really explain why it worked in the sandbox, only that the only supported way it works is if an application with Sites.FullControll.All makes the POST.
If you come across posts/websites saying it works with graph explorer, they probably only tried it with a sandbox. I assume this will also fail with the 3rd method of granting the read/write permission to a site with powershell.
According to the documentation list permissions API supports only Application permission type and requires Sites.FullControl.All permission.
Related
I'm currently trying to invite another developer to my gcloud project as an owner. For this I go inside the IAM and grant him access via his gmail account. He receives the invitation e-mail, clicks on "accept invitation" and then has full access rights on the project. However in the IAM it still says:"Invitation sent. Pending acceptance.".
In consequence he's not able to deploy any new AppEngine builds as gcloud CLI fails reporting he does not have the necessary access rights. Anyone experience the same issue? I already checked the e-mail address multiple times as well as wait for several days (so permissions are properly set), but nothing changed. Thanks!
While waiting or solving the email invite, assign normal resource-based IAM roles granting permission.
Except for special cases, the Owner role should not be used or granted to users.
You, as project owner, should not be using an account with the Owner role. That role should be assigned to an identity that is locked away for use when required.
I am currently developing a service that would be able to sync data between workforce management systems (like Kronos WFC) and Microsoft Shifts. In order to sync the data, I have to register a Workforce Integration. I have established the necessary permissions, but I am not able to add permissions and I'm returned a message on the Azure Portal that permissions are not supported. The tenant that I'm using for development has also been whitelisted. Ideally whitelisting should be solving all problems when it comes to adding Graph API scopes, but in this instance, the whitelisting does not seem to resolve. Any ideas as to why such thing is happening?
Some Graph permissions are not allowed on applications that support Microsoft accounts authentication (e.g. Skype, Xbox, Hotmail). The WorkforceIntegration permissions are one of them.
The idea is that some O365 enterprise services are not available to consumer Microsoft accounts. Unfortunately I don't know where these permissions are documented but please comment if you find the list.
Sometimes, it could be a temporary error. You may have another try at a later time.
Please do not add too many permissions at one time. I tried to add that permission and got a success:
By the way, as Azure AD V2 supports to grant permission dynamically. You may directly add and grant permission to a new scope.
Note: I just want to show you the detailed flow, but in fact all the
following steps can be done with ADAL or MSAL.
For example:
I did not have https://graph.microsoft.com/Chat.ReadWrite permission at first. But I can request that permission dynamically through Azure AD OAuth2 authorization code flow:
A. Make a request call to
https://login.microsoftonline.com/<your_tenent_id_or_name,hanxia.onmicrosoft.com>/oauth2/v2.0/authorize?response_type=code
&client_id=88b1****-***-****-****-f64c****9f8a
&redirect_uri=https://localhost/
&scope=https://graph.microsoft.com/Chat.ReadWrite
B. Grant the permission
C. Check the permissions in Enterprise Application
You can see that a new permission was added. And then uses in the tenant can use that permission scope.
Today I was trying to add an external user to VSTS and got below error message.
You are trying to invite a user from outside your directory, but
something went wrong. Please try again later. If the issue persists,
please contact support.
I have followed the step mentioned in below link and "External guest access" is enabled.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/add-external-user?view=azure-devops&viewFallbackFrom=vsts&tabs=new-nav
Not sure where I am going wrong with this and looking for a solution.
After signing-out and sign-in again it works.
It seems this happened after password reset for my AAD account.
The reason was a missing refresh of the user AAD token. After
completely signing out from Azue DevOps (deleting all browser caches)
it was working.
Source: https://developercommunity.visualstudio.com/t/you-are-trying-to-invite-a-user-from-outside-your/395999
Before this will work, you need to have the external domain added as an approved domain for collaboration. Then you will be able to invite them to your Office 365/Azure tenant. I had to have this approved through Global Security and then the work was done for our organization.
For future reference, I had a similar issue and discover that Project Collection Administrators/Owners manage the policy: Allow team and project administrators to invite new users.
Source Azure DevOps Documentation
I have an application calling the graph api in order to update my database of users to match the active directory users.
I see that every single user calling it is getting an error. 403 forbidden. I did some research and saw that the user needs to grant directory.read... so I did that and then it works.
However, I do not want to have my application request each user to grant those permissions. I believe maybe I can accomplish the same goal by granting the right permissions to the “user” behind the application. I am not really sure who that is. Does maybe the secret and the client located in my web.config play into this? The reason I think maybe yes, is because I use those credentials to initially authenticate myself to the graph api. I do. To pass the current users Microsoft info to log in...
In that scenario, you can configure the app to use App-Only permissions. In the documentation, it is referred as "Application" permission. The permissions are granted to an application. Consent is granted only once by an administrator, and users are not prompted to consent later. More: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
I originally posted the following on github: https://github.com/OfficeDev/office-js/issues/323, but they suggested I post on stack overflow.
I have an Azure Active Directory v2 application which lists some SharePoint delegated permissions:
I have a Word Online Addin that uses the V2 app. I tried adding the SharePoint permissions as scopes in the Office Manifest such as
<Scope>AllSites.Read</Scope>
However, I get the following message after attempting to grant consent inside Word Online:
Is this error expected? Ultimately I wanted to enable single sign on in Office (Similar to https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins but for CSOM, not Graph). I was able to get this to work for Graph permissions.
First, let me clarify that the SSO API is still in-preview. In production, you should be using Dialog API to login the user but it does not provide SSO.
Now coming to the in-preview SSO API - Have you tried any of the SharePoint scopes owned by Graph? Adding that to the manifest should work. Currently, we do not support any other scope other than Graph. But there is no reason why the same token can be used to access SharePoint provided you use Graph scopes.