I'm currently trying to create a new App Engine project using the endpoint outlined here:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/create
The actual endpoint is https://cloudresourcemanager.googleapis.com/v1beta1/projects
However, when I authenticate via oauth and submit a POST request, I get the following payload:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I have full access to the engine via my Owner role, so I'm not sure what the issue here is?
Does anyone have any ideas?
Many Thanks
you need to make sure you have service account for your application , and you need to make sure that the API is enabled .
On the Cloud Resource Manager page there is a note stating (emphasis mine):
Programmatically create, manage, and delete projects that belong to
your organization. You can also undelete or recover projects that you
didn’t mean to delete. Access to Cloud Resource Manager project
creation is currently invite-only. For an invitation, contact our
sales team.
Did you obtain such invitation? If not then the Owner role you're mentioning is likely not the right one needed for the Cloud Resource Manager operation.
Related
When interacting with the Google Vault API and specifically updating or creating Holds with accounts, I started getting a 400 Error with the message: "Users are not licensed". I have seen a similar error, specifically around Google Voice ("Users are not licensed for Voice"), but never for all services (Mail, Drive, Groups). I can add a specific use case to handle this error, but I have been unable to reproduce with an Google account that I control. How does a account get into a state where they are unable to be added to any holds like this?
My requirement to show all the calendar events of my wishlisted user in my Canvas App. To access the graph API, I have done App registration in AAD with Calendar.Read and User.Read permission.
Using the Client and Secret received from the registered app, Power Apps Custom Connector is created. While Testing the Custom Connector, I am getting the below error.
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
On Analysis:
Scenario 1 : Calendar.Read - Delegated Permission Type
Api - https://graph.microsoft.com/v1.0/users/{UserID}/events
When Delegated permission is given , I am able to access and response from the calendar event API only when the UserID is mine.
But it is throwing the above mentioned error for other users (This is the actual requirement)
Scenario 2 : Calendar.Read - Application Permission Type
Api - https://graph.microsoft.com/v1.0/users/{UserID}/events
When Application permission is given , it is failing and throwing the same error.
First, Will I be able to get other user's calendar event?
What are the steps to be taken to access?
What permission type should be considered for my scenario?
Am I missing any basic settings?
Please advice. I have lost my time for this requirement.
Thanks in advance
If you where to use Delegates permission (which sounds wrong for the authentication flow you want to use) then to access another users calendar (that you have been delegated rights to either via Outlook or the Mailbox Permissions) you will need (Calendars.Read.Shared or Calendars.ReadWrite.Shared) see https://learn.microsoft.com/en-us/graph/outlook-get-shared-events-calendars
For the client credentials flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow which it sounds like what you want to use ? then the Calendar.Read should be enough to access the calendar if your doing anything else in the Directory then User.Read will also need to be an application permission. You probably need to look at https://support.microsoft.com/en-us/topic/verifying-oauth-configuration-for-custom-connectors-d733fdb9-6108-4199-b4f5-06e99b02d10f to do some debugging to see what actually happening with your token generation process, you can the use something like jwt.io to check the correct scopes etc.
I am trying to find a way how to programmatically change properties of Enterprise Application (non-catalogue app), specifically Secret Token and Tenant ULR in 'Provisioning' blade, allowing to synchronize user/group objects between AAD and an external app (e.g. SaaS app) that supports it.
My customer has a strict policy to rotate all secrets and keys in Azure in regular intervals, so they want to be able to have an automation runbook that would change that token in the app (it is actually an Azure Databricks instance that supports this sync) as well as in AAD.
I checked whether there was a direct PowerShell support but I couldn’t find a specific cmdlet for this scenario (tried both GA and preview versions of AAD PowerShell 2.0).
I found a good documentation page describing AAD Synchronization API - https://learn.microsoft.com/en-us/graph/api/resources/synchronization-overview?view=graph-rest-beta – however, I am unable to find, how to update the Secret Token property.
Ideally, I would like to see a code sample of a REST call on how change that specific property using Synchronization API. A PowerShell example would be even better. Any help is much appreciated. Thanks.
Here's how to do it for non-gallery SCIM apps:
PUT https://graph.microsoft.com/beta/servicePrincipals/99abefe8-3ad8-488f-b14f-df209cbc1ab3/synchronization/secrets
{
value: [
{ key: "BaseAddress", value: "xxxxxxxxxxxxxxxxxxxxx" },
{ key: "SecretToken", value: "xxxxxxxxxxxxxxxxxxxxx" }
]
}
Replace the GUID after servicePrincipals with your real servicePrincipal object ID.
For apps that aren't non-gallery SCIM apps, the credential names required can be discovered in the metadata -> configurationFields part of the synchronizationTemplate object:
https://learn.microsoft.com/en-us/graph/api/resources/synchronization-synchronizationtemplate?view=graph-rest-beta
I am experiencing an issue where a set of custom policies that upload without issue to one tenant (development tenant), fail to upload to another (production tenant). The policies function correctly on the (working) development tenant.
I upload the files in the following order:
TrustFrameworkBase.xml uploads OK
TrustFrameworkExtensions.xml uploads OK
SignUpOrSignin.xml fails with above error
ProfileEdit.xml fails with above error
PasswordReset.xml uploads OK
The only clue I have is that if I query the extension claims in the B2C app for the failing tenant, it only shows 2 out of 8. If I run the same query against the working tenant, it shows all 8. I am doing this querying using this example app: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.
As far as I can tell, the two tenants are configured the same, and I have checked the various IDs etc are configured correctly. But it is always possible I have missed something!
Can anyone help?
The xml files: https://1drv.ms/f/s!ApxUZQaL9hp0h1ACYgWzgzsGwCOc
More info
I can actually run the policies that upload with an error. But when I try to create an user account via running the policy I get a message saying "Unable to validate the information provided." at the top of the page, inside the <div> with the id claimVerificationServerError. This may tie-up with the missing extension claims in the B2C app. So it looks like the problem is with creating the extension claims. But the same policy uploads and works on another tenant. How could the extension claims be valid on one tenant, but not on another?
In your base policy, there is the following claim of dateOfBirth:
<ClaimType Id="extension_DateOfBirth">
<DisplayName>Date of Birth</DisplayName>
<DataType>date</DataType>
<UserHelpText>Date of birth</UserHelpText>
<UserInputType>DateTimeDropdown</UserInputType>
<PredicateValidationReference Id="DateOfBirthDateRange" />
</ClaimType>
Since this claim starts with "extension_" and it is used in a technical profile with "AAD-" as prefix, it will be automatically created as an extension attribute in AAD during the policy uploading. However, the DataType "date" is not supported (only DateTime is supported) in AAD. This is causing policy uploading failure.
Regarding how to map "date" claim in B2C policy to AAD "DateTime" attribute, I will reply back to this thread after more investigation on these policies is done.
Edit: I was trying to find this doc: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#extensionproperty-entity when I first replied but could not find it. Thanks Mat for sharing. Hope this link is helpful for solving issues related to datatype of extension attributes in AAD.
Extension attributes need to be created at a per tenant basis. So if your policy requires extension attributes, you need to create them explicitly.
I've registered a schema extension for users.
I'd like to use it to store data about users after they login to an app, however I cant figure out the permissions. On my (admin) account I'm able to, no problem but on normal user accounts I receive:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "2ee94ed5-f351-4992-8db0-2e3b420aa581",
"date": "2017-10-04T09:37:49"
}
}
The reason I'm using a schema extension instead of an open extensions (which does work), is that I need to be able to filter users by their extension. I cant seem to do this with an open extension.
The PATCH request is as follows:
https://graph.microsoft.com/v1.0/me
{
"extkh2zr49b_notifications":{
"badgeCount":"0",
"pushToken":"test",
}
}
And my delegated permissions for the app are:
profile, openid, Directory.AccessAsUser.All, Directory.ReadWrite.All, User.ReadWrite.All
I've concluded its impossible for normal users to edit their schema extensions. I tried granting every available permission.
I ended up using an open extension instead. I was able to return all of members of a group as well as their extensions. This was enough for me (far better than checking every user in the organisation for an extension...)
The query is below:
https://graph.microsoft.com/v1.0/groups/[id]/members/$/microsoft.graph.user?$expand=extensions&$select=id
I couldn't find this in any of Microsoft's official documentation so hopefully it continues to work!
Before a normal user can leverage certain scopes, you first need to provide Admin Consent for those scopes. In your case the scopes Directory.AccessAsUser.All, Directory.ReadWrite.All and User.ReadWrite.All require consent.
You might find this article helpful: v2 Endpoint and Admin Consent.