I'm trying to access some room calendars to create a booking monitoring app and are hitting some weird issues.
When checking some rules with the following query:
https://graph.microsoft.com/v1.0/users/RoomEmail#domain.com/events?$select=subject,body,bodyPreview,organizer,attendees,start,end,location
For some rooms this returns the data you would expect (booking information etc)
On other rooms (majority of them) it just returns a Failure status code of 503
{
"error": {
"code": "ErrorInternalServerTransientError",
"message": "An internal server error occurred. Try again later.",
"innerError": {
"request-id": "31c78608-9a54-4927-9ad5-0ec3d36aedcf",
"date": "2017-11-27T16:22:17"
}
}
I've check the permissions and license on all the room mailboxes and they have the same. They are also all classed as RoomMailboxes in office365
I have also applied the following permissions on the user that is running the query. As per documentation: Permission Doc
Calendars.Read
Calendars.ReadWrite
Calendars.ReadWrite.Shared
Any ideas?
Thanks in advance
Related
I am following the microsoft docs on https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0. My goal is to use the graph api to add a user to a specific group. When I make the request
POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
With a body of
{"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"}
I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-09-08T00:14:25",
"request-id": "bcc05c0f-8195-4744-8736-bd30586a7663"
}
}
}
What needs to be added to get this to work?
According to the document of Add member, we need one of the following permission in scope:
Please navigate to your application -> API permission in the portal. Add one of the permissions of Microsoft Graph, and grant admin consent for your tenant.
If you use the client credentials flow, you need to add application permission. Delegated permission is suitable for other flows.
I am working on POC where I want to access Microsoft Teams API.i.e.
https://graph.microsoft.com/beta/me/joinedTeams
But getting below error details. Error details are as follows.
{
"error": {
"code": "",
"message": "Authorization has been denied for this request.",
"innerError": {
"request-id": "ac2efa19-dc29-4573-9ece-ba98b564818e",
"date": "2018-02-16T12:55:15"
}
}
}
I have given below permissions from microsoft azure for my registered application.
Bookings.Manage.All Bookings.Read.All Bookings.ReadWrite.All
BookingsAppointment.ReadWrite.All Calendars.Read Calendars.Read.Shared
Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read
Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared
Device.Command Device.Read EAS.AccessAsUser.All email Files.Read
Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All
Files.ReadWrite.AppFolder Files.ReadWrite.Selected
Financials.ReadWrite.All Mail.Read Mail.Read.Shared Mail.ReadWrite
Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.Read
MailboxSettings.ReadWrite Notes.Create Notes.Read Notes.Read.All
Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp
offline_access openid People.Read profile Sites.Manage.All
Sites.Read.All Sites.ReadWrite.All Tasks.Read Tasks.Read.Shared
Tasks.ReadWrite Tasks.ReadWrite.Shared User.Read User.ReadBasic.All
User.ReadWrite UserTimelineActivity.Write.CreatedByApp
Above permissions I can see when I decrypt access token.
I have gone through that Microsoft Teams (beta) API: Looks like you may not have the permissions for this call. Please modify your permissions post and already have given permission as per above post but still getiing same error.
Here is screen shot
enter image description here
Thanks
The permissions required for getting the joined teams is User.Read.All, User.ReadWrite.All. Please go through the link for more information about the joined teams graph api call.
In graph explorer the https://graph.microsoft.com/v1.0/me?$select=birthday endpoint gives me the example profile birthday
but when I try it with my account I receive this error
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "37e1643d-0bfd-46a4-8b48-70a4922f2952",
"date": "2017-12-29T21:33:16"
}
}
}
even though it returns my profile with the /me endpoint. I believe it has all the same scopes as the example and I checked all the .read scopes to make sure it had everything needed.
My birthday is in my profile and I am able to get my birthday from the deprecated live api with the wl.birthday scope but not the new graph api.
Thanks for pointing this out. Looks like we need to update our documentation. I filed this doc issue to track. Some user properties are only available for commercial (work or school) accounts (i.e. AAD based), through Microsoft Graph. Microsoft Graph, when signed in though a consumer account, has limited access to the same data that is exposed in the deprecated live API. I'll check if this particular item can be fixed.
Hope this helps,
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,
We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)