I'm trying to get a total count of users through Microsoft Graph API through my B2C AAD tenant, but the response seems to either error out or is omitting the #odata.count property.
Feedback online is also mixed where some people say that $count is still unsupported even thought the official documentation says that $count is supported for /users.
https://learn.microsoft.com/en-us/graph/query-parameters#count-parameter
I tried through the graph api online version:
https://developer.microsoft.com/en-us/graph/graph-explorer?request=users?$count=true&method=GET&version=v1.0
With this result:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"#odata.count": 31,
"value": [
...
]
}
However doing the same thing through something like postman nets me this result:
GET /v1.0/users?$count=true HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer [token]
ConsistencyLevel: eventual
{
"error": {
"code": "Request_BadRequest",
"message": "This request is not supported by the service",
"innerError": {
"date": "2020-10-09T18:19:44",
"request-id": "4d97fd77-19ad-42f9-9357-66c24c867ce2",
"client-request-id": "4d97fd77-19ad-42f9-9357-66c24c867ce2"
}
}
}
If I remove ConsistencyLevel header, I get a valid response but there is no #odata.count property.
Is there some Graph Api permissions that I am missing, or is this expected?
For the B2C tenant the user count is not yet supported for this /users endpoint. But for a general Azure AD tenant it will give you the count when you follow these below steps.
Select the beta endpoint. (https://graph.microsoft.com/beta/users?$count=true)
Add $count=true in the QueryString.
Add ConsistencyLevel = eventual to the Request headers.
You will see the results as below.
You can also refer this Document.
Please raise a feature request in the Microsoft Graph Feedback Forum so that the product team may add this feature to b2c tenant in future.
Related
I have B2C local accounts and when I'm trying to get/update their profile infos using Graph API with aplication issued token, it worked.
But when I try to get/update their profile photo, I get 404 errors.
request: (GET)
https://graph.microsoft.com/v1.0/users/{userOid}/photo
response: 404
{
"error": {
"code": "ImageNotFound",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ImageNotFoundException' was thrown.",
"innerError": {
"date": "2021-10-26T16:12:52",
"request-id": "ac24acee-8317-4d77-95ea-c69df189e7cb",
"client-request-id": "ac24acee-8317-4d77-95ea-c69df189e7cb"
}
}
}
request: (PUT/POST) and setting the content type as well
https://graph.microsoft.com/v1.0/users/{userOid}/photo/$value
response: 404
{
"error": {
"code": "UnknownError",
"message": "{\r\n \"errorCode\": \"ErrorUserResolutionFailedUserDoesNotExist\",\r\n \"message\": \"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileNotFoundException' was thrown.\",\r\n \"target\": null,\r\n \"details\": null,\r\n \"innerError\": null,\r\n \"instanceAnnotations\": []\r\n}",
"innerError": {
"date": "2021-10-26T16:13:55",
"request-id": "3517b374-a08d-41a1-8f68-9c9da3cbfb3b",
"client-request-id": "3517b374-a08d-41a1-8f68-9c9da3cbfb3b"
}
}
}
Currently, you are using Microsoft Graph REST API V1.0 to get/update user photo for B2C local accounts.
But these operation in version 1.0 supports only a user's work or school mailboxes and not personal mailboxes
So you can use Microsoft Graph REST API beta version to get/update user photo for B2C local accounts.
When getting / updating the user photo using beta version, this operation first attempts to get / update the photo in Microsoft 365. If that fails (due to the user not having a mailbox), this API will attempt to get / update the photo in Azure Active Directory
Note : For updating profile photo for users, use only PUT operation.
For getting the profile photo of user, please make sure the user has profile photo in the Azure AD. Else, it will throw ImageNotFound error.
Reference :
profilePhoto resource type - Microsoft Graph beta | Microsoft Docs
profilePhoto resource type - Microsoft Graph v1.0 | Microsoft Docs
I'm trying to write a web app on our website which gets a User's MS Team channels and then posts a message to a channel of their choosing using MS Teams Graph API.
I'm about to get an access token using the OAuth API, and I'm passing access token (AAD token) to the /me/joinedTeams endpoint, it's giving me the below error:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"date": "2021-05-14T20:57:03",
"request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806",
"client-request-id": "30d80d9a-66f4-47ff-ab11-dacb7f817806"
}
}
}
Screenshot of my Graph Explorer results
UPDATE:
I have gotten my account converted to a Work account, and added the permissions. Now I am getting this response/error:
Screenshot of new Graph Explorer results
It's better for you to share how to get an access token using the OAuth API. In this issue , it seems your signed-in user is a personal Microsoft account, that's not supported to access the /me/joinedTeams endpoint. Doc of this API.
There are some notes here:
When using Graph Explorer, access token is here after login. You don't need to add bearer token in Request headers.
You have to sign in with a work or school account, and you need to consent one of the required permissions in "modify permissions(Preview)".
According to this article it should be possible to delete a user from Azure AD B2C using the Microsoft Graph API: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations (more specifically: https://learn.microsoft.com/en-us/graph/api/user-delete)
I have set the User.ReadWrite.All permission (for permission type Application) and granted admin consent.
However, when calling the corresponding endpoint with a http DELETE request, it fails with the following response:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
},
"requestId": "b129b3a7-a0e9-42db-aa7a-97da31590095",
"date": "2020-11-04T12:53:32"
}
}
Other operations (such as listing and updating users) work perfectly fine. Does anyone know what causes this behavior? Any help is highly appreciated.
Update:
This is a sample of a request which I try to send to the Graph API:
Postman Curl request
Make sure you are calling Microsoft Graph and the configured permissions are under Microsoft Graph.
Based on your Curl request, you are calling Azure AD Graph (endpoint https://graph.windows.net).
The Microsoft Graph endpoint is https://graph.microsoft.com.
If your permissions are set correctly under Microsoft Graph, try to use DELETE https://graph.microsoft.com/v1.0/users/{user-id} to delete the user.
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,
We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)