Insufficient privileges to write to schema extensions - azure-active-directory

I've registered a schema extension for users.
I'd like to use it to store data about users after they login to an app, however I cant figure out the permissions. On my (admin) account I'm able to, no problem but on normal user accounts I receive:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2ee94ed5-f351-4992-8db0-2e3b420aa581",
"date": "2017-10-04T09:37:49"
}
}
The reason I'm using a schema extension instead of an open extensions (which does work), is that I need to be able to filter users by their extension. I cant seem to do this with an open extension.
The PATCH request is as follows:
https://graph.microsoft.com/v1.0/me
{
"extkh2zr49b_notifications":{
"badgeCount":"0",
"pushToken":"test",
}
}
And my delegated permissions for the app are:
profile, openid, Directory.AccessAsUser.All, Directory.ReadWrite.All, User.ReadWrite.All

I've concluded its impossible for normal users to edit their schema extensions. I tried granting every available permission.
I ended up using an open extension instead. I was able to return all of members of a group as well as their extensions. This was enough for me (far better than checking every user in the organisation for an extension...)
The query is below:
https://graph.microsoft.com/v1.0/groups/[id]/members/$/microsoft.graph.user?$expand=extensions&$select=id
I couldn't find this in any of Microsoft's official documentation so hopefully it continues to work!

Before a normal user can leverage certain scopes, you first need to provide Admin Consent for those scopes. In your case the scopes Directory.AccessAsUser.All, Directory.ReadWrite.All and User.ReadWrite.All require consent.
You might find this article helpful: v2 Endpoint and Admin Consent.

Related

Unable to get other users calendar event by using graph API using custom connector in Power Apps

My requirement to show all the calendar events of my wishlisted user in my Canvas App. To access the graph API, I have done App registration in AAD with Calendar.Read and User.Read permission.
Using the Client and Secret received from the registered app, Power Apps Custom Connector is created. While Testing the Custom Connector, I am getting the below error.
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
On Analysis:
Scenario 1 : Calendar.Read - Delegated Permission Type
Api - https://graph.microsoft.com/v1.0/users/{UserID}/events
When Delegated permission is given , I am able to access and response from the calendar event API only when the UserID is mine.
But it is throwing the above mentioned error for other users (This is the actual requirement)
Scenario 2 : Calendar.Read - Application Permission Type
Api - https://graph.microsoft.com/v1.0/users/{UserID}/events
When Application permission is given , it is failing and throwing the same error.
First, Will I be able to get other user's calendar event?
What are the steps to be taken to access?
What permission type should be considered for my scenario?
Am I missing any basic settings?
Please advice. I have lost my time for this requirement.
Thanks in advance
If you where to use Delegates permission (which sounds wrong for the authentication flow you want to use) then to access another users calendar (that you have been delegated rights to either via Outlook or the Mailbox Permissions) you will need (Calendars.Read.Shared or Calendars.ReadWrite.Shared) see https://learn.microsoft.com/en-us/graph/outlook-get-shared-events-calendars
For the client credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow which it sounds like what you want to use ? then the Calendar.Read should be enough to access the calendar if your doing anything else in the Directory then User.Read will also need to be an application permission. You probably need to look at https://support.microsoft.com/en-us/topic/verifying-oauth-configuration-for-custom-connectors-d733fdb9-6108-4199-b4f5-06e99b02d10f to do some debugging to see what actually happening with your token generation process, you can the use something like jwt.io to check the correct scopes etc.

How to request access for Microsoft Graph Explorer?

I want to add Group.ReadAll and Group.ReadWrite.All permissions to Graph Explorer. When I open the permissions and add them I'm told I need admin approval, although these specific permissions do not require approval. I want to add these permissions without taking away existing admin approvals. How do I do this? The pop up does not have an option to ask that and 2018's solution is not working for me! I just cannot move on to permissions request page or anything similar. I do not find Graph Explorer in AAD apps or anywhere. How can I request admin to provide these permissions to Graph Explorer to my account?
In the Microsoft Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer
when you query related to Groups(https://graph.microsoft.com/v1.0/groups), you will get below error which says you don't have access to
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-08-08T11:36:28",
"request-id": "b3bd3b88-a1b2-4a57-9e60-c495daf7f528"
}
In order to have the access, org admin can provide the access by following the below steps:
Login to Graph Explorer.
Select Permission.
Group.Read.All and Group.ReadWrite.All (Below is the screenshot)
Admin will get below screen
Now any users from the org can do group related operations.

ErrorGroupsAccessDenied when setting hideFromAddressLists or hideFromOutlookClients

I have been trying to set the following values on a group using graph using the beta API:
{
"hideFromOutlookClients": true,
"hideFromAddressLists": true
}
However, I get the following error:
{
"code": "ErrorGroupsAccessDenied",
"message": "User does not have permissions to execute this action."
}
The application does have the required permissions for updating a Group, in fact, updating a group's description works just fine. These two properties were added a few months back but they seem to require different permission. I cannot find any other "group" related permission to assign.
Has anyone used these properties before that could shed some light on the subject?
I have tested your scene.
To update "hideFromOutlookClients" and "hideFromAddressLists", we have to assign Group.ReadWrite.All Delegated Permission.
The other two Delegated Permissions Directory.ReadWrite.All and Directory.AccessAsUser.All don't work. (But these two permissions work for updating "description")
The beta version of Microsoft Graph API is continuously improving, so there may be some unexpected issues.
UPDATE:
You are using Application permissions rather than Delegated permissions. Unfortunately, Application permissions are not supported currently based on my test. You need to assign Group.ReadWrite.All Delegated Permission and call this API on behalf of a user.

How to get all users - I only get admins?

I'm trying to get a list of all users in my organization (~300), but the /users endpoint only returns two admin accounts.
Our administrator has given the application consent.
Scope: https://graph.microsoft.com/.default
Does it have something to do with the "(Admin only)" marking on the screenshot below?
/v1.0/users returns:
Some permissions do require an Admin Consent and thus have the marking "(Admin only)".
"Admin only" means that only an administrator can consent this permission.
Most delegated permissions (access on behalf a user) do not need an Admin consent, but some like e.g. Agreement.Read.All are only available for administrators.
Since you are using Application Permissions (and getting access without a user) all permissions will have the "(Admin only)" mark. But this does not mean that the returned results are limted to admins.
Seeing you have given the app the permission User.Read.All your app should be able to request a list of all Users with /v1.0/users/ (it will definitely return all users).
The most likely explanation for your results is that you only have two users in your Office365 AD.
Maybe there was an error setting up the users?
I would suggest to login into the Graph-Explorer and check if you get the same results.
And to check in your Azure Admin Portal if all users registered in your AD.

google app engine cloud resource new project permissions error

I'm currently trying to create a new App Engine project using the endpoint outlined here:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/create
The actual endpoint is https://cloudresourcemanager.googleapis.com/v1beta1/projects
However, when I authenticate via oauth and submit a POST request, I get the following payload:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I have full access to the engine via my Owner role, so I'm not sure what the issue here is?
Does anyone have any ideas?
Many Thanks
you need to make sure you have service account for your application , and you need to make sure that the API is enabled .
On the Cloud Resource Manager page there is a note stating (emphasis mine):
Programmatically create, manage, and delete projects that belong to
your organization. You can also undelete or recover projects that you
didn’t mean to delete. Access to Cloud Resource Manager project
creation is currently invite-only. For an invitation, contact our
sales team.
Did you obtain such invitation? If not then the Owner role you're mentioning is likely not the right one needed for the Cloud Resource Manager operation.

Resources