I am using Graph explorer to test some requests. I logged in with my tenant account and I am trying to list Tasks from another User:
https://graph.microsoft.com/v1.0/users/{id}/getMemberGroups
I get the following error :
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "8e9c5b30-ad4a-4c4c-80c2-f14b110b3fee",
"date": "2020-05-18T16:08:36"
}
}
}
I currently have (among others) the following permission during that test :
Group.Read.All
Group.ReadWrite.All
User.Read.All
User.ReadWrite.All
Referring to the documentation, this should be enough :
Delegated (work or school account): User.ReadBasic.All and GroupMember.Read.All, User.Read and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Readand Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account): Not supported.
Application: User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All, Directory.ReadWrite.All
Any idea on what is going wrong?
Although you have requested Permissions, you cannot authorize this permission until you have received "Consent" from an Administrator. Also, You need to be the member of the group you are requesting via graph if you are doing any changes to group.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about the Consent Framework in Integrating applications with Azure Active Directory.
Related
I'm trying to use a Service Principal and the ms graph api to call the beta synchronization/jobs/ endpoint but get a 401 Unauthorized error.
Now I know in the documentation it says I need the Application.ReadWrite.OwnedBy or Directory.ReadWrite.All scopes, but I would rather use role permissions assigned to the Service Principal to keep access more granular.
I've assigned the Principal to the application administrator role, this allows me to access https://graph.microsoft.com/beta/servicePrincipals/{object-id}/ but when I try https://graph.microsoft.com/beta/servicePrincipals/{object-id}/synchronization/jobs/ I get a 401 code with
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-06-28T14:35:44",
"request-id": "5c5532e5-b506-475b-b926-8b3ec36525d7",
"client-request-id": "5c5532e5-b506-475b-b926-8b3ec36525d7"
}
}
}
Is there some role permission I'm missing or is this endpoint not compatible with role permissions yet? Or most likely am I being silly and missing something?
I've tried using the golang adal package and the az account get-access-token --resource https://graph.microsoft.com command to get a token.
I can access this endpoint when authenticated as my AAD user with Global admin role.
The application permission of Microsoft Graph cannot be completely replaced by directory role permissions. They cannot replace each other.
Generally speaking, the permissions of the AAD Graph and the directory role permission have a certain overlap. But Microsoft Graph is not.
Please use Application permission Application.ReadWrite.OwnedBy or Directory.ReadWrite.All in this case.
I was able to get it to work by adding following Microsoft Graph API permission Application.ReadWrite.All & Directory.ReadWrite.All for application which I used to authenticate and get Access_token.
Working API permission on my lab:
If any of these two permission missing then expected to get (401) Unauthorized same as you.
When calling the MS Graph API on the endpoint https://graph.microsoft.com/beta/me/todo/lists, I get the following result (same when using v1.0 instead of beta):
{
"error": {
"code": "UnknownError",
"message": "The service is unavailable.",
"innerError": {
"date": "2021-01-05T18:36:43",
"request-id": "a4549f79-399a-401b-84eb-cc2f8f6197c8",
"client-request-id": "e07b23bb-60bd-be9b-39db-60953ff42844"
}
}
}
Permission Tasks.ReadWrite is consented and the authenticated user account is a personal account (aka Microsoft Account). With a "Work or school account", the API works as expected.
As of the documentation, this endpoint should be fully available in v1.0 and beta versions but it obviously is not - or I do something wrong. Any suggestions?
You can try to use graph-explorer to log in to your personal Microsoft account and call the api. I just tested it with this tool and it did work for me. (Don't forget to add Tasks.ReadWrite permission and consent)
Another method is to add your personal Microsoft account as a guest user to the Azure tenant (note: guest users need administrator role to call the api), then grant Tasks.ReadWrite delegation permissions to the application, and then use the auth code flow Obtain an access token. This requires you to log in to your personal Microsoft account to obtain an authorization code, and then use the authorization code to redeem an access token.
Context: I've a console app which wants to use Graph API to talk to AAD to check if a particular userId exists in the tenant or not.
I've been following the guidelines here: https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0
I'm able to generate a token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=x
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=x
&grant_type=client_credentials
But when I call the graph API I get this ERROR:
https://graph.microsoft.com/v1.0/users/12345678-73a6-4952-a53a-e9916737ff7f
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "x",
"date": "x"
}
}
}
My AAD App has all the permissions from:
1. Microsoft Graph
2. Windows Azure Active Directory
I tried changing the scope to
scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read
But this is the error I get while generating token:
The provided value for the input parameter 'scope' is not valid. The scope https://graph.microsoft.com/user.read is not valid.
I've tried combinations of "User.Read", "User.Basic.Read", etc. but nothing works.
The most likely reason why this is not working is because the permission which you have configured your app registration to require have not actually been granted by an administrator of your organization.
In your code, your app is authenticating as an application only. There is no signed-in user involved, and it requires your app to use and keep confidential a key used to authenticate (the client_secret parameter).
In this scenario, requesting the scope https://graph.microsoft.com/.default is the correct approach. What you're saying to Azure AD is: "please provide an access token for all the application permissions this app has been granted". Requesting the scope https://graph.microsoft.com/User.Read is not the correct approach because there is no application permission with that name.
Does the app you created have delegated permissions or application permissions to that scope?
Most likely the former. Delegated permissions don’t apply to client credentials flow.
Is there a way to upgrade and downgrade the Azure AD / Microsoft Graph access level?
For example, can a user signup with a web app only to login and later upgrade access to One Drive or downgrade back to login? I was looking for a way to unauthorize the user access and then reauthorize with the different set of permissions but couldn't find a way to unauthorize.
You can get incremental consent if you use the V2 endpoint: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-appmodel-v2-overview.
There you can specify which scopes you want to require when redirecting the user to login.
So you can require basic ones at the start, and then if they want to enable additional features/you release an update which requires additional permissions, you can add those quite easily.
As for the other direction, no.
Once a user has given consent for some permissions, the only way to undo the consent would be to delete the oauth2PermissionGrant object mapping the user to the application's service principal.
In case of an application permission, an appRoleAssignment would need to be deleted from the service principal.
So it's possible, but you will have to call Microsoft Graph API yourself.
You can get all permission grants via: https://graph.microsoft.com/beta/oauth2PermissionGrants and it returns grant objects like this:
{
"clientId": "e846195b-9b20-4001-ad84-5ab5de5531e6",
"consentType": "AllPrincipals",
"expiryTime": "2018-05-04T09:39:32.9697945Z",
"id": "WxlG6CCbAUCthFq13lUx5s7PF6398j5LkfWqCoLpQBI",
"principalId": null,
"resourceId": "ad17cfce-f2fd-4b3e-91f5-aa0a82e94012",
"scope": "User.Read Directory.AccessAsUser.All",
"startTime": "0001-01-01T00:00:00Z"
}
This one is actually the result of admin consent (consentType = AllPrincipals and principalId = null).
For regular user consent, principalId will be the id of the user.
clientId is the id of the service principal who was granted access, and resourceId is the target service principal.
You can also filter the results to a specific user for example: https://graph.microsoft.com/beta/oauth2PermissionGrants?$filter=principalId eq '73c38a25-23eb-44eb-bf63-4aa987b2ef19'
You can then update the grant to change the approved scopes by running a PATCH to https://graph.microsoft.com/beta/oauth2PermissionGrants/WxlG6CCbAUCthFq13lUx5s7PF6398j5LkfWqCoLpQBI with a body like:
{
"scope": "User.Read"
}
You can delete the grant entirely by running a DELETE on the same URL.
I am working on POC where I want to access Microsoft Teams API.i.e.
https://graph.microsoft.com/beta/me/joinedTeams
But getting below error details. Error details are as follows.
{
"error": {
"code": "",
"message": "Authorization has been denied for this request.",
"innerError": {
"request-id": "ac2efa19-dc29-4573-9ece-ba98b564818e",
"date": "2018-02-16T12:55:15"
}
}
}
I have given below permissions from microsoft azure for my registered application.
Bookings.Manage.All Bookings.Read.All Bookings.ReadWrite.All
BookingsAppointment.ReadWrite.All Calendars.Read Calendars.Read.Shared
Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read
Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared
Device.Command Device.Read EAS.AccessAsUser.All email Files.Read
Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All
Files.ReadWrite.AppFolder Files.ReadWrite.Selected
Financials.ReadWrite.All Mail.Read Mail.Read.Shared Mail.ReadWrite
Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.Read
MailboxSettings.ReadWrite Notes.Create Notes.Read Notes.Read.All
Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp
offline_access openid People.Read profile Sites.Manage.All
Sites.Read.All Sites.ReadWrite.All Tasks.Read Tasks.Read.Shared
Tasks.ReadWrite Tasks.ReadWrite.Shared User.Read User.ReadBasic.All
User.ReadWrite UserTimelineActivity.Write.CreatedByApp
Above permissions I can see when I decrypt access token.
I have gone through that Microsoft Teams (beta) API: Looks like you may not have the permissions for this call. Please modify your permissions post and already have given permission as per above post but still getiing same error.
Here is screen shot
enter image description here
Thanks
The permissions required for getting the joined teams is User.Read.All, User.ReadWrite.All. Please go through the link for more information about the joined teams graph api call.