I have an issue with accessing user data with microsoft graph api.
Context : I have a web app with a calendar inside for my users. I would like to give the user the possibility to synchronise this calendar with their microsoft calendar. I did the same thing with google calendars and it works well.
Problem : I registered an app on azure and setup my code with the correct access to login and get a token from the graph api.
It kinda works but i can only log in with the address i used to create my app on azure.
So lets say my admin address on azure is test#azure.com , then i can log in and access the data i want . But if i try with another address like for example test#customer.com, then it fails and display this message :
I keep looking for a way but the Microsoft graph documentation doesn't seem to talk about this problem.
I tried to add the account as an external user, like the message says (and maybe i did it wrong i'm not really sure of this part) but then i can log in but the data i can access doesn't match the data on the account i tried with, as if adding the user as an external user created a "new" user in my organisation.
What I want : I would like to be able to access the data of any user that try to log in with a microsoft email (if they accept the permissions of course).
It's my first time using the graph api so maybe i'm missing something simple...
Thanks
Based on the So thread reference:
When a user authenticates against your tenant, you only have access to the data controlled by your tenant. In other words, if test1#outlook.com authenticates against yourtenant.onmicrosoft.com tenant, you don't gain access to their outlook.com email.
Reason you're able to see the outlook.com email from Graph Explorer is that Graph Explorer is authenticating against their outlook.com account.
In other way, Graph Explorer is authenticating test1#outlook.com against the outlook.com tenant, not yourtenant.onmicrosoft.com.
When a user authenticates against a given tenant, that token only provides access to data within that single tenant. Microsoft Graph does not allow you to cross tenant boundaries.
Thanks Hong for the comment, you may also set your app registration to "multitenant + personal accounts"
So Reference: MS Graph External User 401 Unathorized
Related
Is there a way to get value of "objectIdentifier" claim for Microsoft account?
Case: I have an app with one form field, email (need's to be Microsoft account). When this email is entered, server (back end) need's to find out value of object identifier (user ID) in common tenant for all Microsoft accounts (section "tid").
Normally, if this was normal tenant in Azure Active Directory I would create Azure AD app and generated client secret for accessing Graph API, directory endpoint. Unfortunately, this is "special" tenant and I don't know is there any API I can call (as application) to get id of user (best option would be GetUserIdByEmail(email)).
I understand this is weird case but life is hard :)
Asking user to login and then retrieving value from token is not an option!
There is no API that I'm aware of where you could query for MS personal accounts' info without logging a user in.
If you think about it, it would be quite an easy source of building a user list for attacks :)
You will need to log them in to get their id, I don't think you can know it in advance.
Further to the question raised here
Get all user properties from microsoft graph
Yes, I can obtain full user profile data using the graph query but from the perspective of the tenant, can I restrict the graph query to only be able to access the basic profile data?
Azure AD graph has delegated permissions for user.readBasic.all which restricts this. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.
So I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without human involvement) for user.readBasic.all.
If you want restrict the returned field from the "user.readBasic.all", the best way is you implement a custom handler(API/Service and so on). No directly official channel to do this now. (user.readBasic allows the app to read the full profile of the signed-in user, because after the user sign-in it means he has authorized the APP to get his information.)
You can check the blog for graph permission for here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/
And for the detail of the "user.readBasic.all" you have pointed from official link(https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions) Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.
I am working on a Onedrive CoAuthoring Application. In which users can Co Author the document and Sync their changes. The application flow is First user initiates the CoAuthoring, the document will moved from Source to Onedrive. For the subsequent users, Permisson will added for those users and they open the document directly from onedrive. so everybody can work on the same document and the final user will sync back it from onedrive to Source.
I have implemented a PoC by creating office 365 trial accounts. I have hard coded the Admin account User credentials, and the admin account will talk to Onedrive on behalf of user using Microsoft Graph and Coauthoring works perfectly.
Now I want to Implement the real version on top of Onedrive Buisness for my organization. My organization using hybrid azure, so that the same onpermise user id is used in Azure too. I have created the application in Azure, created a key(Client secret) and gave necessary permission for the app. i am facing the following issues.
First i tried to pass my onpermise credential, but I am getting invalid password.
Next i tried the code flow, in which i have passed the client id and client secret and got the access token.But when i pass the Access token to the graph api I am getting Code: AccessDenied Message: Either scp or roles claim need to be present in the token.
Next I have created a X509 cert and getting the same error while calling Graph API Code: AccessDenied Message: Either scp or roles claim need to be present in the token.
Need your help/suggestion: I want to talk to onedrive using admin account/app. so that I will move the doc to onedrive and add permission for the subsequent users, and this has to be implemented without user interaction even for the first time. Please help me to overcome the issue.
Thanks,
Subbiah K
I'm creating an application in with angular and nodejs and I need to be able to read another user's list of events. Right now I am attempting to use "https://graph.microsoft.com/v1.0/users/otherusername#companyurl.com/events" this gives me the 403 "Access is denied. Check credentials and try again.". However, if I use "https://graph.microsoft.com/v1.0/users/myusername#companyurl.com/events" it works(as most would expect). My question is, why is it when I use outlook I can use scheduling assistant to see the events for "otherusername#companyurl.com" without being an admin but in my application I cannot see their events due to credentials?
The library I'm using to connect to microsoft graph api is https://github.com/AzureAD/azure-activedirectory-library-for-js
The delegated permissions I have set in azure are
View users' email address
Sign users in
Read user contacts
Have full access to user calendars
Read user calendars
Send mail as a user
Read directory data
Read all users' basic profiles
Sign in and read user profile
Application permissions (I understand these require admin)
Read calendars in all mailboxes
Graph api permission scopes
Any help is appreciated, thankyou.
Fugal - This is by design. You can use FindMeetingTimes API to schedule meetings with other users. This can be accomplished with just Calendar.Read permission. See http://graph.microsoft.io/en-us/docs/api-reference/beta/api/user_findmeetingtimes for more info.
For you to view another user's calendar using /events endpoint, you need a special permission (something like Calendar.Read.Shared) that we are still in the process of adding. Once we add that, you will be able to use /Events to access any calendar that another user has explicitly shared with you. But if you want to just schedule meetings, FindMeetingTimes should be sufficient.
I created an AD B2C Tenant in the legacy Azure portal. When I click the link that takes me to the new Azure portal to continue managing my new Tenant I get an "Access Denied" error on the blade, followed by the message:
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Does this have anything to do with the fact that my Microsoft account (that I used to manage Azure) is also tied to Office 360?
elabs - a few questions for you:
when you say your MSA used to manage Azure is tied to your O365 subscription, do you simply mean that you have both an MSA and a AAD account with the same name? what do you mean that your accounts are tied?
What OS are you seeing this issue on?
are you sure your signed in with an MSA or Work Account
How to Find out - from the old portal use CTRL+ALT+A and look at EMAIL Address; You'll see either (Org) or (MSA) at the end.
What is the exact error message and the URL where the error is received. Do you see a correlation ID or Request ID along with the message?
I've tried every avenue possible to reproduced this issue that I know and simply can't get the result you encountered.
Chris