I'm trying to get the signature for a delegated account using the new User.settings capabilities in the Gmail API.
https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/get
I have two accounts in the same Apps org but with different domain names. In the Gmail UI, I log in via my "primary" account and in the accounts list I see the "secondary" account with "(delegated)" appearing after the email address.
However, if I try and do this:
GET https://www.googleapis.com/gmail/v1/users/secondary%40domainB.com/settings/sendAs/secondary%40domainB.com?key={MY_API_KEY}
I get this 403 error:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Delegation denied for primary#domainA.com"
}
],
"code": 403,
"message": "Delegation denied for primary#domainA.com"
}
}
Is this not supported or am I taking the wrong approach?
did you gave the domain wide delegation to your service account?
The Gmail API does not currently support access by delegates (see this answer). You need to either use 3LO credentials or service account credentials with domain-wide delegation.
Related
I am following the microsoft docs on https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0. My goal is to use the graph api to add a user to a specific group. When I make the request
POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
With a body of
{"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"}
I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-09-08T00:14:25",
"request-id": "bcc05c0f-8195-4744-8736-bd30586a7663"
}
}
}
What needs to be added to get this to work?
According to the document of Add member, we need one of the following permission in scope:
Please navigate to your application -> API permission in the portal. Add one of the permissions of Microsoft Graph, and grant admin consent for your tenant.
If you use the client credentials flow, you need to add application permission. Delegated permission is suitable for other flows.
I went through the process to get admin consent for a POC app (delegated) I am building that leverages the new Presence API via MS Graph
https://learn.microsoft.com/en-us/graph/api/presence-get?view=graph-rest-beta&tabs=http
However, when I try to make a Graph API Call, I am able to get a token, but get this error when I try to hit the /me endpoint (gets my AD Info)
Failed to call the Web Api: Forbidden
Content: {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "0c293c6f-f8d2-4a12-8879-c52b16e4c51f",
"date": "2020-01-07T18:09:14"
}
}
}
I am not sure what this error is from, anyone here that can help me? My app has permissions for
User.Read
User.Read.All
The fix for this issue is to update the authentication flow to use the 'On behalf of a user flow'. This will give you a delegated access token and the context of a user to return their presence information. See https://learn.microsoft.com/en-us/graph/auth-v2-user
admin consent for a POC app
Sounds like you're using the client credential flow. If that's the case then the presence-get doc you linked shows that this call is not supported for admin consent.
That doesn't necessarily mean it won't work but...
...if you want to keep trying add the Presence.Read and Presence.Read.All permission to your app and see if that helps.
I am writing an automation CLI script code that is reading G Suite user aliases and their Gmail send-as settings. This script cannot have user interaction.
I setup everything with super-admin user account. Setup a service account with the super-admin user and set domain-wide delegation on. And I can list users in domain using Admin SDK API, and I can get Gmail settings of the super-admin user. But if I try to read Gmail settings of other plain user in my domain, it fails with this error.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Delegation denied for user#email.com"
}
],
"code": 403,
"message": "Delegation denied for user#email.com"
}
}
It it allowed to read other users in same G Suite domain email settings using Gmail API? Or is it just always prohibited? What should I do to read their email settings?
You're trying to access the settings from other users with your super-admin delegated credentials which doesn't have that kind of access. You can't retrieve other users settings with your super-admin credentials.
You need to generate delegated credentials for each user and use those credentials to retrieve the settings information of each one.
I am working on POC where I want to access Microsoft Teams API.i.e.
https://graph.microsoft.com/beta/me/joinedTeams
But getting below error details. Error details are as follows.
{
"error": {
"code": "",
"message": "Authorization has been denied for this request.",
"innerError": {
"request-id": "ac2efa19-dc29-4573-9ece-ba98b564818e",
"date": "2018-02-16T12:55:15"
}
}
}
I have given below permissions from microsoft azure for my registered application.
Bookings.Manage.All Bookings.Read.All Bookings.ReadWrite.All
BookingsAppointment.ReadWrite.All Calendars.Read Calendars.Read.Shared
Calendars.ReadWrite Calendars.ReadWrite.Shared Contacts.Read
Contacts.Read.Shared Contacts.ReadWrite Contacts.ReadWrite.Shared
Device.Command Device.Read EAS.AccessAsUser.All email Files.Read
Files.Read.All Files.Read.Selected Files.ReadWrite Files.ReadWrite.All
Files.ReadWrite.AppFolder Files.ReadWrite.Selected
Financials.ReadWrite.All Mail.Read Mail.Read.Shared Mail.ReadWrite
Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared MailboxSettings.Read
MailboxSettings.ReadWrite Notes.Create Notes.Read Notes.Read.All
Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp
offline_access openid People.Read profile Sites.Manage.All
Sites.Read.All Sites.ReadWrite.All Tasks.Read Tasks.Read.Shared
Tasks.ReadWrite Tasks.ReadWrite.Shared User.Read User.ReadBasic.All
User.ReadWrite UserTimelineActivity.Write.CreatedByApp
Above permissions I can see when I decrypt access token.
I have gone through that Microsoft Teams (beta) API: Looks like you may not have the permissions for this call. Please modify your permissions post and already have given permission as per above post but still getiing same error.
Here is screen shot
enter image description here
Thanks
The permissions required for getting the joined teams is User.Read.All, User.ReadWrite.All. Please go through the link for more information about the joined teams graph api call.
I'm trying to develop an app in my enterprise and I've followed this tutorial to get access to the AD users information. Meaning:
I created an app in https://apps.dev.microsoft.com/
I set User.Read.All in Application Permissions and User.Read in Delegated Permissions
With this done I'm able to successfully login (Azure AD OAuth2 with https://graph.microsoft.com/ as resource and User.Read as scope) and get a correct response from https://graph.microsoft.com/v1.0/me.
Ask the Admin for the Delegated Permissions
With this, my admin can see in the azure portal that my App has both permissions consented by himself.
This is working because I asked a coworker to log in and I could get a correct response from https://graph.microsoft.com/v1.0/me even though he wasn't even prompted to consent this (Before the admin consenting the permissions the user was prompted)
Request a token from https://login.microsoftonline.com/common/oauth2/token with client_credentials as a response_type
Receive the token!
Do a GET request to https://graph.microsoft.com/v1.0/users and receive:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
"date": "2017-03-22T19:19:48"
}
}
}
Furthermore, doing a request to https://graph.microsoft.com/v1.0/me returns:
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "047e2ba9-a858-45fc-a0dd-124e1db503f3",
"date": "2017-03-22T19:39:25"
}
}
}
Which leads me to believe that Microsoft knows this token and knows it is not impersonating any user.
I've been looking for documentation on Azure AD and Microsoft Graph authentication but I only find blog posts and all seem outdated (although most features are in preview).
If you could point me in the right direction I would thank you.
I've also found this and this similar questions on SO but they all remain unanswered.
Update, after this answer
Thank you, Dan,
I've used my organization domain name and I'm also able to get a token.
Now the response from https://graph.microsoft.com/v1.0/users/ is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3f190b47-73f5-4b29-96f9-54ed3dbc3137",
"date": "2017-03-23T11:07:15"
}
}
}
Which makes no sense because in the azure portal I have User.Read.All as Application Permission (already consented by the admin).
I think the problem is with the request for the token, that returns successfully no matter the scope I send, even if I made one up.
For Example:
POST https://login.microsoftonline.com/<domain>/oauth2/token
client_id:*******
client_secret:*******
resource:https://graph.microsoft.com/
grant_type:client_credentials
scope:Foo.Bar
Returns:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1490271617",
"not_before": "1490267717",
"resource": "https://graph.microsoft.com/",
"access_token": *****
}
I had two problems, both not covered documentation:
For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name (thanks to Dan Kershaw)
For https://graph.microsoft.com/v1.0/users or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName} you need Directory.Read.All permission.
Note:
User.Read.All is relevant for Microsoft to stop requesting permissions (delegation) to the user when you ask for User.Read in the OAuth workflow. Check this and other Permission related issues in the Release Notes.
I've added this issue to the Microsoft Graph Docs!
The /me segment is a shortcut or alias for the currently signed-in user. The request to /me will never work with an application token, because it doesn't contain any user context (or signed in user) - and hence the error. We might be able to improve this error though ;)
I believe when using the client credentials flow, you need to specify the actual tenant that you want a token for.
If you're app is performing this operation in a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name, and see if that works.
If you are following https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds it looks like we might have a couple of doc bugs in there that we need to fix...
Hope this helps,