I am working on POC where I want to access Microsoft Teams API.i.e.
https://graph.microsoft.com/beta/me/joinedTeams
But getting below error details. Error details are as follows.
{
"error": {
"code": "",
"message": "Authorization has been denied for this request.",
"innerError": {
"request-id": "ac2efa19-dc29-4573-9ece-ba98b564818e",
"date": "2018-02-16T12:55:15"
}
}
}
I have given below permissions from microsoft azure for my registered application.
Bookings.Manage.All Bookings.Read.All Bookings.ReadWrite.All
BookingsAppointment.ReadWrite.All Calendars.Read Calendars.Read.Shared
Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read
Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared
Device.Command Device.Read EAS.AccessAsUser.All email Files.Read
Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All
Files.ReadWrite.AppFolder Files.ReadWrite.Selected
Financials.ReadWrite.All Mail.Read Mail.Read.Shared Mail.ReadWrite
Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.Read
MailboxSettings.ReadWrite Notes.Create Notes.Read Notes.Read.All
Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp
offline_access openid People.Read profile Sites.Manage.All
Sites.Read.All Sites.ReadWrite.All Tasks.Read Tasks.Read.Shared
Tasks.ReadWrite Tasks.ReadWrite.Shared User.Read User.ReadBasic.All
User.ReadWrite UserTimelineActivity.Write.CreatedByApp
Above permissions I can see when I decrypt access token.
I have gone through that Microsoft Teams (beta) API: Looks like you may not have the permissions for this call. Please modify your permissions post and already have given permission as per above post but still getiing same error.
Here is screen shot
enter image description here
Thanks
The permissions required for getting the joined teams is User.Read.All, User.ReadWrite.All. Please go through the link for more information about the joined teams graph api call.
Related
When calling the MS Graph API on the endpoint https://graph.microsoft.com/beta/me/todo/lists, I get the following result (same when using v1.0 instead of beta):
{
"error": {
"code": "UnknownError",
"message": "The service is unavailable.",
"innerError": {
"date": "2021-01-05T18:36:43",
"request-id": "a4549f79-399a-401b-84eb-cc2f8f6197c8",
"client-request-id": "e07b23bb-60bd-be9b-39db-60953ff42844"
}
}
}
Permission Tasks.ReadWrite is consented and the authenticated user account is a personal account (aka Microsoft Account). With a "Work or school account", the API works as expected.
As of the documentation, this endpoint should be fully available in v1.0 and beta versions but it obviously is not - or I do something wrong. Any suggestions?
You can try to use graph-explorer to log in to your personal Microsoft account and call the api. I just tested it with this tool and it did work for me. (Don't forget to add Tasks.ReadWrite permission and consent)
Another method is to add your personal Microsoft account as a guest user to the Azure tenant (note: guest users need administrator role to call the api), then grant Tasks.ReadWrite delegation permissions to the application, and then use the auth code flow Obtain an access token. This requires you to log in to your personal Microsoft account to obtain an authorization code, and then use the authorization code to redeem an access token.
I am following the microsoft docs on https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0. My goal is to use the graph api to add a user to a specific group. When I make the request
POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
With a body of
{"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"}
I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-09-08T00:14:25",
"request-id": "bcc05c0f-8195-4744-8736-bd30586a7663"
}
}
}
What needs to be added to get this to work?
According to the document of Add member, we need one of the following permission in scope:
Please navigate to your application -> API permission in the portal. Add one of the permissions of Microsoft Graph, and grant admin consent for your tenant.
If you use the client credentials flow, you need to add application permission. Delegated permission is suitable for other flows.
I have an android application that uses Azure AD B2C. Users can sign up using local account/email. Once the user logs into the android application, I'm trying to call the Microsoft Graph API to get the signed-in users details (specifically the Graph API UPN of the user, which is different than the UPN in Azure ad B2C).
The API call I'm trying to make is: https://graph.microsoft.com/v1.0/me
I added the bearer auth token I receive when the user logs in.
However, I receive the following error:
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 80049217",
"innerError": {
"date": "2020-06-17T06:11:32",
"request-id": "b4e9757e-60d9-453f-820d-9f817831aa0c"
}
}
}
Any idea what I can do to get the user's Graph API UPN? Appreciate the help!
This error occurs when the token used is invalid. If you want to get the logged-in user information, you can request the API at here.
Don't forget to grant administrator consent for this permission,please checkhere.
Update
For Azure b2c users, it is currently not possible to call the Graph API.https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/526
I went through the process to get admin consent for a POC app (delegated) I am building that leverages the new Presence API via MS Graph
https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-beta&tabs=http
However, when I try to make a Graph API Call, I am able to get a token, but get this error when I try to hit the /me endpoint (gets my AD Info)
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "0c293c6f-f8d2-4a12-8879-c52b16e4c51f",
"date": "2020-01-07T18:09:14"
}
}
}
I am not sure what this error is from, anyone here that can help me? My app has permissions for
User.Read
User.Read.All
The fix for this issue is to update the authentication flow to use the 'On behalf of a user flow'. This will give you a delegated access token and the context of a user to return their presence information. See https://learn.microsoft.com/en-us/graph/auth-v2-user
admin consent for a POC app
Sounds like you're using the client credential flow. If that's the case then the presence-get doc you linked shows that this call is not supported for admin consent.
That doesn't necessarily mean it won't work but...
...if you want to keep trying add the Presence.Read and Presence.Read.All permission to your app and see if that helps.
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,