I'm trying to use a Service Principal and the ms graph api to call the beta synchronization/jobs/ endpoint but get a 401 Unauthorized error.
Now I know in the documentation it says I need the Application.ReadWrite.OwnedBy or Directory.ReadWrite.All scopes, but I would rather use role permissions assigned to the Service Principal to keep access more granular.
I've assigned the Principal to the application administrator role, this allows me to access https://graph.microsoft.com/beta/servicePrincipals/{object-id}/ but when I try https://graph.microsoft.com/beta/servicePrincipals/{object-id}/synchronization/jobs/ I get a 401 code with
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-06-28T14:35:44",
"request-id": "5c5532e5-b506-475b-b926-8b3ec36525d7",
"client-request-id": "5c5532e5-b506-475b-b926-8b3ec36525d7"
}
}
}
Is there some role permission I'm missing or is this endpoint not compatible with role permissions yet? Or most likely am I being silly and missing something?
I've tried using the golang adal package and the az account get-access-token --resource https://graph.microsoft.com command to get a token.
I can access this endpoint when authenticated as my AAD user with Global admin role.
The application permission of Microsoft Graph cannot be completely replaced by directory role permissions. They cannot replace each other.
Generally speaking, the permissions of the AAD Graph and the directory role permission have a certain overlap. But Microsoft Graph is not.
Please use Application permission Application.ReadWrite.OwnedBy or Directory.ReadWrite.All in this case.
I was able to get it to work by adding following Microsoft Graph API permission Application.ReadWrite.All & Directory.ReadWrite.All for application which I used to authenticate and get Access_token.
Working API permission on my lab:
If any of these two permission missing then expected to get (401) Unauthorized same as you.
Related
In Azure Active Directory I've registered a new app and given it the Read and create online meetings permissions. I've granted admin consent for the permission and now I'm trying to create a meeting through the command line.
I generated a client secret for the app.
Then I'm requesting a access token using my tenant GUID, client ID of the app and client secret I generated. This gives me back a jwt. When I decode the JWT amongst the roles I can see "OnlineMeetings.ReadWrite.All" which gives me hope that I can actually create meetings using this bearer token.
I then send a POST request to https://graph.microsoft.com/v1.0/users/<my-user-guid>/onlineMeetings
with the following body:
{
"startDateTime":"2021-03-16T14:33:30.8546353-07:00",
"endDateTime":"2021-03-16T15:03:30.8566356-07:00",
"subject":"Application Token Meeting",
"participants": {
"organizer": {
"identity": {
"user": {
"id": "<my-user-guid>"
}
}
}
}
}
and the response comes back with
"code": "Forbidden",
"message": "Application does not have permission to Create online meeting on behalf of this user.",
Am I missing something?
Edit:
As some of the comments have suggested I should create an application access policy. So I'm following the documentation which asks me to Connect using admin credentials
When i run Connect-MicrosoftTeams -Credential $userCredential with my account it fails with the following error:
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed
Connect-MicrosoftTeams: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: : Unknown error
But this is what is confusing me. I don't really know if I'm trying to login with the correct account. I'm using my personal account on azure which is (afaik) not a business account with skype for business.
I'm running the commands to log in on the azure portal's PowerShell interface. Am I supposed to run this on my local machine instead?
I think I'm not fully understanding what all of the moving parts are that need configuration.
Can I add those application Access Policies in the azure portal interface somewhere?
According to the api documentation, make sure you grant the OnlineMeetings.ReadWrite.All application permission to the application. Then you need to use the client credential flow to obtain an access token.
Please note that when you create an online meeting with an application token, administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).
When calling the MS Graph API on the endpoint https://graph.microsoft.com/beta/me/todo/lists, I get the following result (same when using v1.0 instead of beta):
{
"error": {
"code": "UnknownError",
"message": "The service is unavailable.",
"innerError": {
"date": "2021-01-05T18:36:43",
"request-id": "a4549f79-399a-401b-84eb-cc2f8f6197c8",
"client-request-id": "e07b23bb-60bd-be9b-39db-60953ff42844"
}
}
}
Permission Tasks.ReadWrite is consented and the authenticated user account is a personal account (aka Microsoft Account). With a "Work or school account", the API works as expected.
As of the documentation, this endpoint should be fully available in v1.0 and beta versions but it obviously is not - or I do something wrong. Any suggestions?
You can try to use graph-explorer to log in to your personal Microsoft account and call the api. I just tested it with this tool and it did work for me. (Don't forget to add Tasks.ReadWrite permission and consent)
Another method is to add your personal Microsoft account as a guest user to the Azure tenant (note: guest users need administrator role to call the api), then grant Tasks.ReadWrite delegation permissions to the application, and then use the auth code flow Obtain an access token. This requires you to log in to your personal Microsoft account to obtain an authorization code, and then use the authorization code to redeem an access token.
I am using Graph explorer to test some requests. I logged in with my tenant account and I am trying to list Tasks from another User:
https://graph.microsoft.com/v1.0/users/{id}/getMemberGroups
I get the following error :
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "8e9c5b30-ad4a-4c4c-80c2-f14b110b3fee",
"date": "2020-05-18T16:08:36"
}
}
}
I currently have (among others) the following permission during that test :
Group.Read.All
Group.ReadWrite.All
User.Read.All
User.ReadWrite.All
Referring to the documentation, this should be enough :
Delegated (work or school account): User.ReadBasic.All and GroupMember.Read.All, User.Read and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Readand Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account): Not supported.
Application: User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All, Directory.ReadWrite.All
Any idea on what is going wrong?
Although you have requested Permissions, you cannot authorize this permission until you have received "Consent" from an Administrator. Also, You need to be the member of the group you are requesting via graph if you are doing any changes to group.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about the Consent Framework in Integrating applications with Azure Active Directory.
I went through the process to get admin consent for a POC app (delegated) I am building that leverages the new Presence API via MS Graph
https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-beta&tabs=http
However, when I try to make a Graph API Call, I am able to get a token, but get this error when I try to hit the /me endpoint (gets my AD Info)
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "0c293c6f-f8d2-4a12-8879-c52b16e4c51f",
"date": "2020-01-07T18:09:14"
}
}
}
I am not sure what this error is from, anyone here that can help me? My app has permissions for
User.Read
User.Read.All
The fix for this issue is to update the authentication flow to use the 'On behalf of a user flow'. This will give you a delegated access token and the context of a user to return their presence information. See https://learn.microsoft.com/en-us/graph/auth-v2-user
admin consent for a POC app
Sounds like you're using the client credential flow. If that's the case then the presence-get doc you linked shows that this call is not supported for admin consent.
That doesn't necessarily mean it won't work but...
...if you want to keep trying add the Presence.Read and Presence.Read.All permission to your app and see if that helps.
Context: I've a console app which wants to use Graph API to talk to AAD to check if a particular userId exists in the tenant or not.
I've been following the guidelines here: https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
I'm able to generate a token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=x
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=x
&grant_type=client_credentials
But when I call the graph API I get this ERROR:
https://graph.microsoft.com/v1.0/users/12345678-73a6-4952-a53a-e9916737ff7f
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "x",
"date": "x"
}
}
}
My AAD App has all the permissions from:
1. Microsoft Graph
2. Windows Azure Active Directory
I tried changing the scope to
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
But this is the error I get while generating token:
The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/user.read is not valid.
I've tried combinations of "User.Read", "User.Basic.Read", etc. but nothing works.
The most likely reason why this is not working is because the permission which you have configured your app registration to require have not actually been granted by an administrator of your organization.
In your code, your app is authenticating as an application only. There is no signed-in user involved, and it requires your app to use and keep confidential a key used to authenticate (the client_secret parameter).
In this scenario, requesting the scope https://graph.microsoft.com/.default is the correct approach. What you're saying to Azure AD is: "please provide an access token for all the application permissions this app has been granted". Requesting the scope https://graph.microsoft.com/User.Read is not the correct approach because there is no application permission with that name.
Does the app you created have delegated permissions or application permissions to that scope?
Most likely the former. Delegated permissions don’t apply to client credentials flow.