I'm trying to write a web app on our website which gets a User's MS Team channels and then posts a message to a channel of their choosing using MS Teams Graph API.
I'm about to get an access token using the OAuth API, and I'm passing access token (AAD token) to the /me/joinedTeams endpoint, it's giving me the below error:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"date": "2021-05-14T20:57:03",
"request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806",
"client-request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806"
}
}
}
Screenshot of my Graph Explorer results
UPDATE:
I have gotten my account converted to a Work account, and added the permissions. Now I am getting this response/error:
Screenshot of new Graph Explorer results
It's better for you to share how to get an access token using the OAuth API. In this issue , it seems your signed-in user is a personal Microsoft account, that's not supported to access the /me/joinedTeams endpoint. Doc of this API.
There are some notes here:
When using Graph Explorer, access token is here after login. You don't need to add bearer token in Request headers.
You have to sign in with a work or school account, and you need to consent one of the required permissions in "modify permissions(Preview)".
Related
I'm trying to call the Graph API: https://graph.microsoft.com/v1.0/me/sendMail.
I run the query successfully with the Graph Explorer, where I gave my user the Mail.Send permission. And if I use the Access Token from the Graph Explorer in Postman it works too.
But if I use my own Access Token which I create from calling the Azure Active Directory App in ends in this error:
{
"error": {
"code": "RequestBodyRead",
"message": "The property 'subject' does not exist on type 'Microsoft.OutlookServices.Message'. Make sure to only use property names that are defined by the type or mark the type as open type. REST APIs for this mailbox are currently in preview. You can find more information about the preview REST APIs at https://dev.outlook.com/.",
"innerError": {
"date": "2021-12-23T12:47:23",
"request-id": "cbb00b85-295b-45e2-abc7-f064ec52f994",
"client-request-id": "cbb00b85-295b-45e2-abc7-f064ec52f994"
}
}
The body in the message is the same, I just changed the Access Token from the Graph Explorer to the one I created. The Access Token is created through a POST Request to:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb09-9f3-476-9bf-4f126479986
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qPX
&grant_type=client_credentials
I checked both Tokens with https://jwt.io/ if they vary in some way. The only thing which was odd was the parameter "aud" for Audience. The value in my Token was different than the one from the Graph Explorer, but I don't know if I can change that.
The Azure Active Directory App does have the necessary permissions, also with Admin consens.
enter image description here
Help is much appreciated.
You have given Delegated permissions to the application which allow your app to call an API on behalf of a user.
But you authenticate using only application credentials where no user is involved.
In that case only Application permissions apply.
You either need to grant the "Send mail as any user" Application permission (and use /users/user-id instead of /me), or you need to change how you authenticate such that it involves a user at some point of the process.
I have B2C local accounts and when I'm trying to get/update their profile infos using Graph API with aplication issued token, it worked.
But when I try to get/update their profile photo, I get 404 errors.
request: (GET)
https://graph.microsoft.com/v1.0/users/{userOid}/photo
response: 404
{
"error": {
"code": "ImageNotFound",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ImageNotFoundException' was thrown.",
"innerError": {
"date": "2021-10-26T16:12:52",
"request-id": "ac24acee-8317-4d77-95ea-c69df189e7cb",
"client-request-id": "ac24acee-8317-4d77-95ea-c69df189e7cb"
}
}
}
request: (PUT/POST) and setting the content type as well
https://graph.microsoft.com/v1.0/users/{userOid}/photo/$value
response: 404
{
"error": {
"code": "UnknownError",
"message": "{\r\n \"errorCode\": \"ErrorUserResolutionFailedUserDoesNotExist\",\r\n \"message\": \"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileNotFoundException' was thrown.\",\r\n \"target\": null,\r\n \"details\": null,\r\n \"innerError\": null,\r\n \"instanceAnnotations\": []\r\n}",
"innerError": {
"date": "2021-10-26T16:13:55",
"request-id": "3517b374-a08d-41a1-8f68-9c9da3cbfb3b",
"client-request-id": "3517b374-a08d-41a1-8f68-9c9da3cbfb3b"
}
}
}
Currently, you are using Microsoft Graph REST API V1.0 to get/update user photo for B2C local accounts.
But these operation in version 1.0 supports only a user's work or school mailboxes and not personal mailboxes
So you can use Microsoft Graph REST API beta version to get/update user photo for B2C local accounts.
When getting / updating the user photo using beta version, this operation first attempts to get / update the photo in Microsoft 365. If that fails (due to the user not having a mailbox), this API will attempt to get / update the photo in Azure Active Directory
Note : For updating profile photo for users, use only PUT operation.
For getting the profile photo of user, please make sure the user has profile photo in the Azure AD. Else, it will throw ImageNotFound error.
Reference :
profilePhoto resource type - Microsoft Graph beta | Microsoft Docs
profilePhoto resource type - Microsoft Graph v1.0 | Microsoft Docs
I'm trying to get an embed token for power bi embedded.
I'm using 'App owns data' embed scenario.
I first get the access token of Azure AD and use it as Bearer token when calling embed token
Here is my Postman request details:
https://api.powerbi.com/v1.0/myorg/groups/{groyupid}/dashboards/{dashboardid}/GenerateToken
Request body
{accessLevel:"View"}
In authorization section I added the access token.
I received a 403 Forbidden response.
Here how I get the access token
I noticed that there is also another url to get token : https://login.microsoftonline.com/common/oauth2/token
What is the difference between the one with tenant id in the url
Then permissions for the AAD PowerBI application
Update
Thanks for the help I get another 404 not found error now
{
"error": {
"code": "PowerBIEntityNotFound",
"pbi.error": {
"code": "PowerBIEntityNotFound",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}
For information I have added permission in PBI admin portal to pbireportingGroup an Azure security group that I created. ( as mentionned in docs )
Then I added to this group the AAD as member
Is that what should I do ?
403 means that your access token doesn't have the required permissions.
And you need to add the master account and service principal as the owner of the group / workspace (it may take 15 minutes to take effect).
UPDATE:
Now that you are using client credential flow, you should set application permissions:
And the resource in the request body should be https://analysis.windows.net/powerbi/api/.
Besides, you need to add the service principal as the admin of this workspace in Azure AD. (enter the name of your Azure AD app, and it will recognize its client id)
I have an android application that uses Azure AD B2C. Users can sign up using local account/email. Once the user logs into the android application, I'm trying to call the Microsoft Graph API to get the signed-in users details (specifically the Graph API UPN of the user, which is different than the UPN in Azure ad B2C).
The API call I'm trying to make is: https://graph.microsoft.com/v1.0/me
I added the bearer auth token I receive when the user logs in.
However, I receive the following error:
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"date": "2020-06-17T06:11:32",
"request-id": "b4e9757e-60d9-453f-820d-9f817831aa0c"
}
}
}
Any idea what I can do to get the user's Graph API UPN? Appreciate the help!
This error occurs when the token used is invalid. If you want to get the logged-in user information, you can request the API at here.
Don't forget to grant administrator consent for this permission,please checkhere.
Update
For Azure b2c users, it is currently not possible to call the Graph API.https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/526
I went through the process to get admin consent for a POC app (delegated) I am building that leverages the new Presence API via MS Graph
https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-beta&tabs=http
However, when I try to make a Graph API Call, I am able to get a token, but get this error when I try to hit the /me endpoint (gets my AD Info)
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "0c293c6f-f8d2-4a12-8879-c52b16e4c51f",
"date": "2020-01-07T18:09:14"
}
}
}
I am not sure what this error is from, anyone here that can help me? My app has permissions for
User.Read
User.Read.All
The fix for this issue is to update the authentication flow to use the 'On behalf of a user flow'. This will give you a delegated access token and the context of a user to return their presence information. See https://learn.microsoft.com/en-us/graph/auth-v2-user
admin consent for a POC app
Sounds like you're using the client credential flow. If that's the case then the presence-get doc you linked shows that this call is not supported for admin consent.
That doesn't necessarily mean it won't work but...
...if you want to keep trying add the Presence.Read and Presence.Read.All permission to your app and see if that helps.