I want to add Group.ReadAll and Group.ReadWrite.All permissions to Graph Explorer. When I open the permissions and add them I'm told I need admin approval, although these specific permissions do not require approval. I want to add these permissions without taking away existing admin approvals. How do I do this? The pop up does not have an option to ask that and 2018's solution is not working for me! I just cannot move on to permissions request page or anything similar. I do not find Graph Explorer in AAD apps or anywhere. How can I request admin to provide these permissions to Graph Explorer to my account?
In the Microsoft Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer
when you query related to Groups(https://graph.microsoft.com/v1.0/groups), you will get below error which says you don't have access to
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-08-08T11:36:28",
"request-id": "b3bd3b88-a1b2-4a57-9e60-c495daf7f528"
}
In order to have the access, org admin can provide the access by following the below steps:
Login to Graph Explorer.
Select Permission.
Group.Read.All and Group.ReadWrite.All (Below is the screenshot)
Admin will get below screen
Now any users from the org can do group related operations.
Related
I'm in the process of getting calendars of users from graph. This is my request:
GET https://graph.microsoft.com/v1.0//users/id/calendar
This is giving expected results for some users and failing for others with 404 Not found:
{
"error": {
"code": "MailboxNotEnabledForRESTAPI",
"message": "The mailbox is either inactive, soft-deleted, or is hosted on-premise.",
"innerError": {
"date": "2022-11-24T17:41:34",
"request-id": "0c24472c-a2e3-4e84-a3bb-9e35a33d06f4",
"client-request-id": "61731188-cebe-e7b3-416d-f0e4ec8c012e"
}
}
}
My tenant has Azure active directory premium P2 license. What else do I need? Why it is working for some users and failing for some users?
Are those user hybrid mailboxes that are on premise ? Hybrid Graph has been depreciated and will cease working in March next year https://learn.microsoft.com/en-us/graph/hybrid-rest-support
If the users are hosted on o365 you need to verify if they have an active licence as you may find the licence has expired etc if multiple plans are (or where) active in the tenant. If a mailbox doesn't have a good licence you won't be able to access it.
Configuring a new service connection to Office 365 from the "Send email via Office 365 Outlook" connector in Logic Apps is failing on Save with the following error -
Failing to save logic app . The client has
permission to perform action 'Microsoft/.Logic/workflows/write' on
scope , however, it does not have permission
to perform action 'join/action' on the linked scope
'/providers/microsoft.web/connections/office365'.
If I am asking for the permissions for the second part what role is that? It seems to be something in Office 365.
When you using the Office 365 connecter in the logic app(login your user account to auth successfully), it will create a office365 API connection (i.e. microsoft.web/connections/office365 mentioned in the error) in your resource group.
So to solve the issue, you also need permission at resource group/subscription level, not only at logic app level, just navigate to the resource group/subscription which the logic app located -> Access control (IAM) -> add an RBAC role e.g. Contributor like below.
Update:
For the specific error in your question, the least permission is Microsoft.Web/connections/Join/Action with no doubt, but if you want to do your stuff successfully, the permission I recommend is Microsoft.Web/connections/*, it is small enough, it includes the permissions below, source.
Of course, you can only use Microsoft.Web/connections/Join/Action, but it may raise another permission error, then you need to fix it again, all depend on your requirements.
To create the custom role, follow this doc, in the step 6, use the json like below.
{
"properties": {
"roleName": "LogicAPIConnRole",
"description": "test",
"assignableScopes": [
"/subscriptions/xxxxx"
],
"permissions": [
{
"actions": [
"Microsoft.Web/connections/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
After the creation, assign the role at the office365 API connection scope, it will work fine.
I have been trying to set the following values on a group using graph using the beta API:
{
"hideFromOutlookClients": true,
"hideFromAddressLists": true
}
However, I get the following error:
{
"code": "ErrorGroupsAccessDenied",
"message": "User does not have permissions to execute this action."
}
The application does have the required permissions for updating a Group, in fact, updating a group's description works just fine. These two properties were added a few months back but they seem to require different permission. I cannot find any other "group" related permission to assign.
Has anyone used these properties before that could shed some light on the subject?
I have tested your scene.
To update "hideFromOutlookClients" and "hideFromAddressLists", we have to assign Group.ReadWrite.All Delegated Permission.
The other two Delegated Permissions Directory.ReadWrite.All and Directory.AccessAsUser.All don't work. (But these two permissions work for updating "description")
The beta version of Microsoft Graph API is continuously improving, so there may be some unexpected issues.
UPDATE:
You are using Application permissions rather than Delegated permissions. Unfortunately, Application permissions are not supported currently based on my test. You need to assign Group.ReadWrite.All Delegated Permission and call this API on behalf of a user.
I've registered a schema extension for users.
I'd like to use it to store data about users after they login to an app, however I cant figure out the permissions. On my (admin) account I'm able to, no problem but on normal user accounts I receive:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2ee94ed5-f351-4992-8db0-2e3b420aa581",
"date": "2017-10-04T09:37:49"
}
}
The reason I'm using a schema extension instead of an open extensions (which does work), is that I need to be able to filter users by their extension. I cant seem to do this with an open extension.
The PATCH request is as follows:
https://graph.microsoft.com/v1.0/me
{
"extkh2zr49b_notifications":{
"badgeCount":"0",
"pushToken":"test",
}
}
And my delegated permissions for the app are:
profile, openid, Directory.AccessAsUser.All, Directory.ReadWrite.All, User.ReadWrite.All
I've concluded its impossible for normal users to edit their schema extensions. I tried granting every available permission.
I ended up using an open extension instead. I was able to return all of members of a group as well as their extensions. This was enough for me (far better than checking every user in the organisation for an extension...)
The query is below:
https://graph.microsoft.com/v1.0/groups/[id]/members/$/microsoft.graph.user?$expand=extensions&$select=id
I couldn't find this in any of Microsoft's official documentation so hopefully it continues to work!
Before a normal user can leverage certain scopes, you first need to provide Admin Consent for those scopes. In your case the scopes Directory.AccessAsUser.All, Directory.ReadWrite.All and User.ReadWrite.All require consent.
You might find this article helpful: v2 Endpoint and Admin Consent.
I'm currently trying to create a new App Engine project using the endpoint outlined here:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/create
The actual endpoint is https://cloudresourcemanager.googleapis.com/v1beta1/projects
However, when I authenticate via oauth and submit a POST request, I get the following payload:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I have full access to the engine via my Owner role, so I'm not sure what the issue here is?
Does anyone have any ideas?
Many Thanks
you need to make sure you have service account for your application , and you need to make sure that the API is enabled .
On the Cloud Resource Manager page there is a note stating (emphasis mine):
Programmatically create, manage, and delete projects that belong to
your organization. You can also undelete or recover projects that you
didn’t mean to delete. Access to Cloud Resource Manager project
creation is currently invite-only. For an invitation, contact our
sales team.
Did you obtain such invitation? If not then the Owner role you're mentioning is likely not the right one needed for the Cloud Resource Manager operation.