I can't add more than 1 group lifecycle policy. is it something i missed or i'm wrong ?
There is an existing policy for my tenant. When I tried creating a new policy for the same tenant, I got the following error.
Error : Tenant already has maximum allowed 1 policy
Exception Message : Error in validating lifecycle manangement policy
Exception Code : MaxExpirationPoliciesCountReached
Exception Type : Microsoft.Graph.ServiceException
.
"error": {
"code": "MaxExpirationPoliciesCountReached",
"message": "Error in validating lifecycle manangement policy. Error: Tenant already has maximum allowed 1 policy(s).",
"innerError": {
"request-id": "1f557bc9-1343-4ffc-a7db-92897d491610",
"date": "2019-03-05T08:58:43"
In the Response body of List groupLifecyclePolicies document, the value is an Array []. Is it possible to create more than one policies for a tenant.
also ref : https://github.com/microsoftgraph/microsoft-graph-docs/issues/4013
This is a known limitation of AAD. From the documentation, Configure the expiration policy for Office 365 groups:
Currently only one expiration policy can be configured for Office 365 groups on a tenant.
Related
I am trying to make an API call to get order metrics from the amazon seller central page from Postman App. I have followed all the steps in the documentation.
I self authorized my app using the refresh token found on the Developer Central page. I am able to generate the access token using the refresh token. When making a request to the api to get order metrics, the query parameters are :
marketplaceIds : A21TJRUUN4KGV (India)
interval : 2021-01-01T00:00:00-07:00--2021-09-04T00:00:00-07:00
granularity : Day
The AWS signature for this request has my access key and secret key derived from when I created the IAM User. The region is eu-west-1 and service name is execute-api.
In the headers I have passed
x-amz-access-token: Atza|IwExxxxxxx
user agent:PostmanRuntime/7.26.8
Host: sellingpartnerapi-eu.amazon.com
x-amz-date : calculated when request is sent
After sending the request I get this response:
{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}
403 Forbidden: Request is legal but server is refusing to respond. Authenticating will make no difference.
I have logged case with Seller Central support but it has been over a month and they haven't replied. Please tell me what should I add or remove or check to make this request work.
https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_temp_request.html
Following this gave me temporary access token, access secret key and session token. Using that in the AWS signature for getting orders gave the desired output.
I'm trying to implement the on behalf flow with Azure AD following this Microsoft sample documentation, all is good on the client-side but in the
the service app side (the azure function that obtains another Access Token using the on user's behalf and calls the MS Graph API on user's behalf again), it fails to obtain the access a new access token (getNewAccessToken) and shows:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant 'xyz' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\r\nTrace ID: xxx \r\nCorrelation ID: yyy \r\nTimestamp: 2021-01-04 07:17:15Z",
"error_codes": [
90002
],
"timestamp": "2021-01-04 07:17:15Z",
"trace_id": "xxx",
"correlation_id": "yyy",
"error_uri": "https://login.microsoftonline.com/error?code=90002"
}
any clue how to solve this issue?
Based off your error message, you can navigate to your Azure Active Directory and make sure your TenantID matches what's in your application.
Error Message:
AADSTS90002: Tenant 'xyz' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID.
TenantID
I am following the microsoft docs on https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0. My goal is to use the graph api to add a user to a specific group. When I make the request
POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
With a body of
{"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"}
I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-09-08T00:14:25",
"request-id": "bcc05c0f-8195-4744-8736-bd30586a7663"
}
}
}
What needs to be added to get this to work?
According to the document of Add member, we need one of the following permission in scope:
Please navigate to your application -> API permission in the portal. Add one of the permissions of Microsoft Graph, and grant admin consent for your tenant.
If you use the client credentials flow, you need to add application permission. Delegated permission is suitable for other flows.
I'm trying to access some room calendars to create a booking monitoring app and are hitting some weird issues.
When checking some rules with the following query:
https://graph.microsoft.com/v1.0/users/RoomEmail#domain.com/events?$select=subject,body,bodyPreview,organizer,attendees,start,end,location
For some rooms this returns the data you would expect (booking information etc)
On other rooms (majority of them) it just returns a Failure status code of 503
{
"error": {
"code": "ErrorInternalServerTransientError",
"message": "An internal server error occurred. Try again later.",
"innerError": {
"request-id": "31c78608-9a54-4927-9ad5-0ec3d36aedcf",
"date": "2017-11-27T16:22:17"
}
}
I've check the permissions and license on all the room mailboxes and they have the same. They are also all classed as RoomMailboxes in office365
I have also applied the following permissions on the user that is running the query. As per documentation: Permission Doc
Calendars.Read
Calendars.ReadWrite
Calendars.ReadWrite.Shared
Any ideas?
Thanks in advance
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,