I have registered an application on our Azure AD, and granted it the Sites.Selected permission as well as granting it access to a specific Sharepoint site following this guide. (Sites.ReadWrite.All is not an option as it would give access to all sites)
https://ashiqf.com/2021/03/15/how-to-use-microsoft-graph-sharepoint-sites-selected-application-permission-in-a-azure-ad-application-for-more-granular-control/
Now I am trying to use Postman to send web requests to the Microsoft Graph API in order to upload large files so I want to use the createUploadSession endpoint.
https://graph.microsoft.com/v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/createUploadSession
But I get the error:
{
"error": {
"code": "notAllowed",
"message": "Operation not allowed",
"innerError": {
"date": "2022-02-04T14:04:37",
"request-id": "06e86b5b-6067-4d7b-9ce9-af41de95406f",
"client-request-id": "06e86b5b-6067-4d7b-9ce9-af41de95406f"
}
}
}
I know the authentication token I use is valid because a request to directly upload a file works fine and uploads the file.
https://graph.microsoft.com/v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/content
Any ideas for what could be wrong with my request to start an upload session?
I suppose that item_id is id of the destination folder but I'm not sure whether you can upload large this way
v1.0/sites/{{site_id}}/drive/items/{{Item_id}}:/test.rtf:/createUploadSession
Try to specify the path to the file from the root
POST v1.0/sites/{{site_id}}/drive/items/root:/test.rtf:/createUploadSession
Also check whether the POST HTTP method is set.
I'm trying to assign app-specific roles to a user in our AD group using Microsoft Graph.
The link I'm sending the request to:
https://graph.microsoft.com/beta/users/{oID of the user I want to assign the role to}/appRoleAssignments/{Object ID of the AD enterprise app}
Inside the request:
{"id": "ID of the role I'm trying to assign to the user"}
The error:
"code": "BadRequest",
"message": "Write requests are only supported on contained entities",
The documentation doesn't define parameters in the example well and I've tried various possibilities but this is the only meaningful result I've gotten.
This isn't current supported by Microsoft Graph. To create app role assignments, you'll need to use Azure AD Graph:
POST https://graph.windows.net/myorganization/users/{user-object-id}/appRoleAssignments
{
"principalId": "{user-object-id}",
"resourceId": "{service-principal-object-id}",
"id": "{app-role-id}"
}
In graph explorer the https://graph.microsoft.com/v1.0/me?$select=birthday endpoint gives me the example profile birthday
but when I try it with my account I receive this error
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "37e1643d-0bfd-46a4-8b48-70a4922f2952",
"date": "2017-12-29T21:33:16"
}
}
}
even though it returns my profile with the /me endpoint. I believe it has all the same scopes as the example and I checked all the .read scopes to make sure it had everything needed.
My birthday is in my profile and I am able to get my birthday from the deprecated live api with the wl.birthday scope but not the new graph api.
Thanks for pointing this out. Looks like we need to update our documentation. I filed this doc issue to track. Some user properties are only available for commercial (work or school) accounts (i.e. AAD based), through Microsoft Graph. Microsoft Graph, when signed in though a consumer account, has limited access to the same data that is exposed in the deprecated live API. I'll check if this particular item can be fixed.
Hope this helps,
I'm building an internal meeting room app that uses the Microsoft Graph API and I would like to extend Event objects with a Schema Extension.
Documentation:
API Reference
Tutorial Example
However when running a query to register a new schema extension, I am receiving this HTTP response:
{
"url": "https://graph.microsoft.com/beta/schemaExtensions",
"status": "403 Forbidden",
"headers": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"client-request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"North Europe\",\"Slice\":\"SliceA\",\"ScaleUnit\":\"001\",\"Host\":\"AGSFE_IN_2\",\"ADSiteName\":\"DUB\"}}",
"duration": "742.4624"
},
"body": {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"date": "2017-05-10T10:05:37"
}
}
}
}
I can confirm that my application has the prerequisite scope permission of Directory.AccessAsUser.All and it's also been more than 16 hours since adding this permission. I have also got verified domains, so the namespace should be OK per the documentation reference.
My API query in code:
Outlook.test({
version: 'beta',
resource: 'schemaExtensions',
method: 'POST',
body: {
id: 'thehivegroup_beethere',
description: 'Extension for event presence status',
targetTypes: [ 'Event' ],
properties: [
{ name: 'checkIn', type: 'String' },
{ name: 'checkOut', type: 'String' }
]
}
})
.then(result => console.log(result), err => console.error(err))
Which results in a POST with the JSON encoded in the body and headers with authorization token to the URL https://graph.microsoft.com/beta/schemaExtensions.
I have tried different IDs, such as beethere, which resulted in a namespace error, so I know this ought to be working fine.
There are no other scope permissions I am aware of that I need to enable here as well. The error is just too vague for me to figure out what privileges are insufficient here.
EDIT: Have manually run the query in the Graph Explorer as an Admin in the tenant, added the scope permissions required for the API and some extra ones in case, but the query for registration of Schema Extensions still does not work, with the same error message as the application receives. So it is definitely not a problem in my code, but the Microsoft Graph API. Is there a contact or way to ask microsoft to look into the issue?
Directory.AccessAsUser.All is a delegated permission only (it must be delegated because it grants access to directory based APIs as the signed-in user's access rights). It doesn't show up in the roles claim because it isn't an application permission.
As far as I know, right know, you cannot use the application flow (client credentials) to create a schema extension, and you need to use the "code authorization" flow. Please let us know if this is a requirement. Additionally we'd love to know if you want to see an experience for schema definition registration as part of the application registration...
Also you CANNOT currently create a schema extension definition (or manage it) through Graph Explorer. For you to created a definition, you must either be an admin or the owner of the app creating the extension definition AND the creation request must also come from that application (which cannot be graph explorer). We may look at relaxing this last constraint.
If you want to see a code snippet for this it's available here (although it's a UWP c# app, not JS): https://github.com/microsoftgraph/uwp-csharp-snippets-rest-sample.
Also schema extensions is now GA, and available in the v1.0 endpoint.
Hope this helps,
Graph Explorer is able to add an extension.
You will need to create an app in your tenant and set the owner in the payload to the client id of your app.
more on this
This schema extensions creating REST works well for me. Please ensure that the token contains Directory.AccessAsUser.All permission. You can parse the token check the scp claim in it from this site.
I'm trying to implement checking availability for specific user (actually a room) in O365 calendar. I'm using Graph API as it's recommended by Microsoft.
My first approach was using POST on https://graph.microsoft.com/v1.0/me/findMeetingTimes with the message body prepared according to template given in Graph API Explorer. On the API Explorer everything seems to work fine but when I try to run exactly the same request with my applications token I receive 403:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "b130177d-e138-4cc7-8e72-5d3529a9dc24",
"date": "2017-03-21T08:47:10"
}
}
}
I checked the app's delegated permissions in AAD and they seem to be fine. For Microsoft Graph those are granted:
Calendars.ReadWrite.Shared
Calendars.Read.Shared
Calendars.ReadWrite
Calendars.Read
I get exactly the same response (403) when I try to simply list user's events: https://graph.microsoft.com/v1.0/users//events In Graph API Explorer 500 is returned.
I found the following bug description: https://github.com/microsoftgraph/microsoft-graph-docs/issues/559 (and probably this one too) Is it related with the issues above?
Any clue what I might be doing wrong?
Is there any other way to achieve the same using different endpoint or API assuming that I still want to use oAuth for authorization?
I will be grateful for any hint
Update: Outlook Calendar API seems to work. Still appreciate any ideas why Graph API doesn't?
The FindMeetingAPI needs A work or a school account . If you are logging in using your personal email ID , you might not be able to login. Moreover , you need to set permissions to Calendars.Read Calendars.Read.All Calendars.ReadWrite User.Read"