In Microsoft 365, we’re able to create a personal contact but we can’t view the contacts of users, let alone add personal contacts to users mailboxes. We keep getting an ErrorAccessDenied message in the output.
Can anyone please advise on how we can get this resolved?
Microsoft Graph Explorer uses user token (delegated permission) to access the contacts data.
It only supports POST /me/contacts.
To access others' contacts, we need to implement Get access without a user which uses client credentials flow.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
In this way you can get an application token (application permission). You can use it to access other users' contacts.
You can use Postman to have a test. Microsoft Graph explorer doesn't support client credentials flow.
Related
I'm trying to get Bing ads spends from my firm. According to the Microsoft documentation, I understood that it's mandatory to use Microsoft Azure portal, get developer_token, client_id, tenant_id, client_secret, and access/refresh token to download the csv files with the data I want.
So, this is what I did:
I've received an invitation from my firm to Microsoft advertising onto this email adress:
abc#myfirm.fr, and I've generated my developer token.
With this email address, I've created a web application onto Microsoft Azure portal, which allow all king of users. Getting client_id, tenant_id, and generated a client_secret.
The redirect URL that I have chosen is http://localhost (according to the documentation but not sure this is the good URL to choose).
With Postman, I have tried with this endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
and the params (previously obtained) needed for the OAuth 2.0 authentication to get my access token. Without success.
The issue is here.
When I request the access token, a new browser window opens, and asks for an email address on which to authenticate. I'm using my email address abc#myfirm.fr and I received authentication completed onto Postman but into the response body I have access_token: invalid.
The role of my account is super admin.
So I'm trying to authenticate with a professional Microsoft Azure Account and this time I received into the browser Invalid redirect url.
I have also tried to start all over again with different email address, like my personal email address, or with the email address of the creator of the Microsoft Advertising account, and I get the error contact your system Admin into the browser.
I have also tried with the Python SDK project given in the documentation, with the error message.
I must have forgotten or misunderstood something.
Should we use the same email address (or same account) on Microsoft Advertising, on Microsoft Azure, and when obtaining the access token?
Do you have to pay and take an Azure subscription? (Already done but without success)
Thanks in advance, sorry for my English.
EDIT:
Thank for ypur reply. The full request is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize with the following params:
-type: OAuth 2.0
-Header Prefix: Bearer
-Grant Type: Authorization Code
-Callback URL: https://localhost
-Auth URL: https://login.microsoftonline.com/{my-tenant_id}/oauth2/v2.0/authorize
-Access Token URL: https://login.microsoftonline.com/{my-tenant_id}/oauth2/v2.0/token
-my client id
-my client secret
-scope: https://ads.microsoft.com/ads.manage OR also testing with https://graph.microsoft.com/User.Read
-State: None
-Client authentication: send client credentials in body
Give me an access_token but when I click on use token and send the request, I'm not getting an refresh token
Once a user provides consent, you can get an access token and act on behalf of the user.
So when the browser session starts, you should enter your Microsoft Advertising credentials.
Remember to set scope=https://ads.microsoft.com/ads.manage in the request for acquiring the authorization code.
If you prefer to automate this process, you can refer to this script and steps to obtain an access token.
We try to create an AAD service principal for retrieving data from out Log Analytics workspace.
Our AAD region is located in Germany
Log Analytics is located in North Europe
When attempting to create API permissions, the address to the API itself is mentioning westus2.api.loganalytics.io (west US region) which is a no go for our company data privacy.
Is there any reason of this default and not editable settings ? Is there any way to overcome it ?
Well, if so, you could get the token for ARM API endpoint, then call the ARM API.
In this way, no need to add the API permission for your AD App, just make sure your AD App has an RBAC role e.g. Contributor, Log Analytics Reader in the Access control (IAM) of your workspace, if not, follow this doc to add it.
Then use the client credential flow to get the token.
POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://management.azure.com/
&client_secret=YOUR_CLIENT_SECRET
After getting the token, use it to call the api like the sample below.
GET https://management.azure.com/subscriptions/6c3ac85e-59d5-4e5d-90eb-27979f57cb16/resourceGroups/demo/providers/Microsoft.OperationalInsights/workspaces/demo-ws/api/query
Authorization: Bearer <access_token>
Prefer: response-v1=true
{
"query": "AzureActivity | limit 10"
}
For more details, refer to this link.
we are trying to access a sharepoint api securely using azure oauth2. we got the bearer token but while accessing sharepoint rest api, we are getting Status code: 401 Unauthorized and Response: {"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."}
We have registered a client application in azure AD
a. Defined redirect uri in authentication
b. Mapped access roles to service user account
c. Defined client secret
d. Defined API permissions and admin consent has been provided
Token Endpoint: https://login.microsoftonline.com/66395830-4e70-4a10-8f30-225fe9afd23b/oauth2/v2.0/token
Method: POST
Body parameters:
scope:https://66395830-4e70-4a10-8f30-225fe9afd23b.sharepoint.com/.default
redirect_uri:https://cscglobal.sharepoint.com/teams/uatCLSService/BusinessLicense/KB/_api/Web/lists
grant_type:client_credentials ( note: we have also tried with password and authorization_code values by passing respective parameters )
client_secret:XXXXXX
client_id:XXXXX
I think you may set the scope in a wrong way. As far as I know, it should be https://yourSite.sharepoint.com/.default or detailed scope, such as: https://yourSite.sharepoint.com/Sites.ReadWrite.All
And now it is suggested to use Microsoft Graph API to manage your sharepoint site.
It provides a unified programmability model that you can use to access the tremendous amount of data in Office 365, Windows 10, and Enterprise Mobility + Security.
I am using client credentials flow to generate an access token. Following is the request.
I received the access token and I am using to call Web API like
https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messages
Following is the screenshot
Calling Web API gives InvalidAuthenticationToken Error.
Any workaround on this.?
You're resource should be set to https://graph.microsoft.com.
In your screenshot, theresource is set to https://outlook.office.com but you're calling a Microsoft Graph. Since you're providing an access_token for a different resource, Microsoft Graph is rejecting it.
You also need to make sure you've requested the proper Microsoft Graph permissions in the Azure Portal. To call /mailFolders/inbox/messages for example, you need request permission for either Mail.Read or Mail.ReadWrite.
Finally, you cannot use /me with the Client Credentials grant. The /me is simply shorthand for /users/{current-user-id}/. Since Client Credentials does not have a current user, the API has no idea which user me is. You will need to reference a specific user entity in the path:
/v1.0/users/{userPrincipalName}/mailfolders/inbox/messages
We have an app that allows a user to connect to Salesforce and import data using OAUTH. Works fine for Dev edition users, but Enterprise edition users sometimes get a 401 Forbidden when the app makes a call to describe after they're successfully logged in.
I did manage to find this nugget in Saleforce's documentation for describeSObjects() that says:
Your client application must be logged in with sufficient access
rights to retrieve metadata about your organization’s data.
Does anybody know what exactly those sufficient access rights are? For Enterprise edition users, does the Salesforce admin need to grant specific permissions to the user, so that user can retrieve metadata?
Any help is much appreciated.
Needed to have full access permissions set on the Connected App.
The salesforce admin controls which users have access to which sobjects via the CRUD settings on the users profile.
Typically you'll want to call describeGlobal first, which'll give you info about which the sobjects the user has access to.
You shouldn't see a 401 from the SOAP API, as SOAP 1.1 requires errors to be returned with a 500 status code. So i'm guessing you're using the REST API, but 401 is Unauthorized, not Forbidden, if you're really getting a 401, it sounds like you might be using an expired access token. The response body should have more info on why you got an error response.