I am trying to create meeting on behalf of a user for that I am trying to get the code. I have registered the app on Azure. Also generated Application(Client) ID I have also added the required permission in the API. But when I am visiting this page the page asks for the email id but once the users fill the email id it says The provided value for the input value scope is not valid for OnlineMeeting.ReadWrite in the redirect URL.
Please guide me to know what I am missing here.
Edit 1: As suggested by #Rukmini I tried this and here is the relevant details.
To obtain the the code I am building url like this image
This does not work when I pass the OnlineMeetings.ReadWrite scope. But when I pass https://graph.microsoft.com/.default as scope it works and I am able to authenticate and generate a code. Then I can use that code to get the access token like following image. But using this access token I can not create the meeting as it does not have the OnlineMeetings.ReadWrite scope as stated in this doc **https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http**[![enter image description here]3]3
Let me know what I can do to generate code and access token for the OnlineMeetings.ReadWrite scope so that I can create the meeting on users behalf. Thanks
EDIT 2: I generated the authorization URL as suggested by #Rukmini using the following query parameters.
When I visited the link, I was presented with a login screen but as my previous error I see the same screen. Am I missing something here? Do I need to verify my app? Or Do I have to only use some specific IDs like we do in GCP and AWS?
Please let me know what I am missing here.
Thanks
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Azure AD Multi-Tenant Application:
I granted Admin Consent to the API permissions like below:
I generated the code by using below endpoint and authorizing it via browser:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=OnlineMeetings.ReadWrite
&state=12345
Now, I generated access token by using the below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:OnlineMeetings.ReadWrite
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
Decode the access token using jwt.ms and check whether the scope is OnlineMeetings.ReadWrite:
I am able to create the Online meetings successfully by using the below query:
https://graph.microsoft.com/v1.0/me/onlineMeetings
Content-Type: application/json
{
"startDateTime":"2023-01-12T14:30:34.2444915-07:00",
"endDateTime":"2023-02-12T15:00:34.2464912-07:00",
"subject":"User Token Meeting"
}
Related
Today, I have an issue getting an Azure AD access token from Postman. This is while it was working before for the same app and other apps I am working on. But none of them are working today.
I was working correctly, but now it shows me this error:
Error: AADSTS900144: The request body must contain the following parameter: 'client_id'
I use https://login.microsoftonline.com/common/oauth2/v2.0/authorize as auth URL, and https://login.microsoftonline.com/common/v2.0/token for Access token URL.
I have tried these for access token URL but none of them worked. https://login.microsoftonline.com/{{tenant_id}}/v2.0/token
https://login.microsoftonline.com/common/token
https://login.microsoftonline.com/{tenant_id}/token
here is my Azure AD oauth 2.0 configuration. Also, as you see, there is no client_id in the request body.
I tried to reproduce the same in my environment and got below results
You can get values of auth URL and access token URL from your Azure AD application that varies based on supported account type like below:
Go to Azure Portal -> Azure Active Directory -> App registrations -> Your App -> Overview -> Endpoints
Now I added environment variables in Postman by defining them like below:
Make sure to select the correct Environment while requesting for token with variables.
I filled the required details same as you to get the access token like below:
When I selected Get New Access Token, I got the token successfully as below:
The error usually occurs if you missed including client_id while
acquiring access token.
I changed client_id parameter to blank in variables like below:
When I tried to get access token again, I got same error as you like below:
To resolve the error, make sure to pass client_id value in right environment and save it.
I found out why it's acting like this:
I checked my friend's PC, and it was working there!
The issue was the last update of Postman. They have changed something in authorization.
just change the Client Authentication to Send client credentials in body and it will work.
I have an API that uses Azure AD to provide access to resources. It has one scope api://{client_id}/Api.Read and following API permissions:
User.Read.All,
User.Read.
When I receive an access token from the AD it has only one aud - {client_id} and when I try to access Microsoft graph (e.g. https://graph.microsoft.com/v1.0/me) I get "Access token validation failure. Invalid audience." response as expected.
My question is - Is it possible to access both graph API and my API using one token and how do it?
I am exchanging current token to a "proper" token using on-behalf-of call: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Basically, you just make the following call (copied from the link above):
POST /oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com/<YOUR_TENANT>
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&requested_token_use=on_behalf_of
&client_id=<YOUR_CLIENT_ID>
&client_secret=<YOUR_CLIENT_SECRET>
&assertion=<YOUR_CURRENT_TOKEN>
&scope=<YOUR_NEW_SCOPES>
The response contains the new token to access the resources that are requested in the scopes. My scenario is not exactly yours, but I think this should work for your case as well. You need to make this call server-side.
This assumes that the user has already consented that your app is okay to use <YOUR_NEW_SCOPES>, or otherwise this call will result in "interaction_required" or "invalid_grant" error (something like this, don't remember the exact error name) that basically means you need to raise UI prompt for the user to agree to the new scopes (how to do that is another question)
I am attempting to access the SharePoint Online REST API (this is hand coded REST calls, no library being used).
Access tokens are acquired using authorization grant flow as follows:
I send the browser https://login.microsoftonline.com/common/oauth2/authorize?...
This redirects to a handler endpoint that we extract the access code from
I obtain the tenant ID by:
GET https://{tenantname}.sharepoint.com/_vti_bin/client.svc
Then extracting the tenant ID from the WWW-Authenticate header
I then POST https://login.microsoftonline.com/{tenantid}/oauth2/authorize to obtain the access token
When I use that access token, I am able to do queries using:
GET https://{tenantname}.sharepoint.com/_api/search/query?querytext=....
This works and returns documents.
But when I attempt to retrieve information about one of those documents:
GET https://{tenantname}.sharepoint.com/_api/web/getfilebyserverrelativeurl('/TestFiles/test.pdf')
I get a 404 response with the following body:
{"odata.error":{"code":"-2130575338, Microsoft.SharePoint.SPException","message":{"lang":"en-US","value":"The file /TestFiles/test.pdf does not exist."}}}
If I navigate to the URL in a browser (https://{tenantname}.sharepoint.com/TestFiles/test.pdf), it accesses the file without issue.
This makes me think that I'm running into some sort of permission issue.
I have tried setting the following scopes in the authorize redirect:
Attempt 1: scope = Web.Write AllSites.Write Site.Write
Attempt 2: scope = https://{tenantname}.sharepoint.com/.default
Attempt 3: scope = https://{tenantname}.sharepoint.com/Web.Write https://{tenantname}.sharepoint.com/AllSites.Write https://{tenantname}.sharepoint.com/Site.Write
No matter what I set as the scope parameter of the authorize URL, the JWT details of the access token show (I can post the entire decoded JWT if anyone needs it):
"scp": "User.Read"
Nothing I do has any impact on the scp in the token - I have no idea if that's the issue or not. If it is, I would appreciate hearing how to properly request scope.
The application registration in Azure Active Directory has desired permissions (plus more):
What am I doing wrong?
UPDATE: Switching to OAuth endpoint v2.0:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
With query parameters:
response_type = code
client_id = my app id
redirect_uri = my redirect uri
scope = <varying - I'll explain what happens under different scenarios below>
Here's what I've tried for scopes:
AllSites.Write Site.Write - the redirect has invalid_client with error_description = AADSTS650053: The application '' asked for scope 'AllSites.Write' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
https://{tenantname}.sharepoint.com/AllSites.Write https://.sharepoint.com/Site.Write - the redirect has invalid_client with error description = AADSTS650053: The application '' asked for scope 'Site.Write' that doesn't exist on the resource '00000003-0000-0ff1-ce00-000000000000'. Contact the app vendor.
https://{tenantname}.sharepoint.com/.default - this goes through
But the resulting JWT has only scp=User.Read
The following works: GET https://{tenantname}.sharepoint.com/_api/search/query?querytext=
But the following returns a 404: GET https://{tenantname}.sharepoint.com/_api/web/getfilebyserverrelativeurl('/TestFiles/test.pdf')
I don't understand how Scope=.Default isn't including the allowed permissions from the application registration. And I definitely don't understand why the AllSites.Write scope is failing when it's explicitly specified.
If it helps, I have also tried all of the above using a tenant specific authorize endpoint instead of 'common':
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize
UPDATE2: More scope changes:
I finally found a magical combination that works:
Use a tenant based URI for the /authorize and /token endpoint and use {tenanturl}\AllSites.Write for the scope (do NOT specify the Site.Write scope):
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?response_type=code&client_id={clientid}&redirect_uri={redirecturi}&scope=https%3A%2F%2F{tenantname}.sharepoint.com%2FAllSites.Write
The resulting JWT has the following:
"scp": "AllSites.Write User.Read"
I am completely perplexed about why Site.Write wasn't allowed. I suppose that AllSites.Write is a superset of Site.Write, so maybe not needed?
All of my testing so far has been on my own tenant, next step is to test on a different tenant and make sure it actually works there as well.
It seems you use v1.0 endpoint https://login.microsoftonline.com/common/oauth2/authorize but not v2.0 endpoint https://login.microsoftonline.com/common/oauth2/v2.0/authorize. If we use v1.0 endpoint, we should use resource instead of scope. So that is why the scp claim in your access token always the same no matter you modify the scope.
You should use resource with https://{tenant-name}.sharepoint.com and the parameter scope is useless when you use v1.0 endpoint.
If you still want to use scope parameter, you can also change the endpoint to v2.0. Just add v2.0 into your endpoint, like: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
I finally found a magical combination that works:
use the https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize and https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token endpoints
specify {tenanturl}\AllSites.Write for the scope (do NOT specify the Site.Write scope - that was the primary problem):
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?response_type=code&client_id={clientid}&redirect_uri={redirecturi}&scope=https%3A%2F%2F{tenantname}.sharepoint.com%2FAllSites.Write
The resulting JWT has the following: "scp": "AllSites.Write User.Read"
This works across tenants and gets us the access we need.
For thoroughness, we also specify offline_access scope so we get a refresh_token in addition to the access_token.
I am trying to follow the tutorial for Microsoft active-directory
After inputting the client ID and secret into the code and running the code, it takes me to the login page where I login with the credentials but I get the following error:
"errorCode": "request_cannot_be_made",
"errorMessage": "Token request cannot be made without authorization code or refresh token.",
"subError": "",
"name": "ClientAuthError"
Does anybody know what is going on here?
The sample code works well: https://github.com/Azure-Samples/ms-identity-node/
When using auth code flow, we need to get authorization code with getAuthCodeUrl() first, then obtain the access token with the authorization code by acquireTokenByCode(). You may miss getting authorization code, please check yours.
Notes:
Set Supported account types as "Accounts in any organizational directory and personal Microsoft accounts". If not, change 'common' in authority with your tenant-id.
redirectUri in the sample code needs to be the same as Redirect URI in the portal.
I am following this example to embed report in Angular 6 app. I need to make some tweeks to make it work on Angular 8.
https://www.c-sharpcorner.com/article/how-to-embed-powerbi-report-in-angular-6/
The last thing was the access token.
To get the short term token I used Postman with the following endpoint:
https://login.microsoftonline.com/38efd35e-da65-4e47-8656-876039ad15b1/oauth2/token
Where 38efd35e-da65-4e47-8656-876039ad15b1 is my TenantId.
I provided App ID and client_secret. The resource is https://analysis.windows.net/powerbi/api
I am able to generate token with the call.
The Report ID is in new Workspace. In the access control, app ID is added as administrator (Service Principal). In the code I am providing Report Id and Group ID.
The App has permission for Power Bi service.
When I use the token generated in Postman as access_token I get 403 error displayed in the Angular Console.
What I could be doing wrong? What is missing?
Is it a wrong Bearer Token? Should I use something else?
MS does not provide clear step by step guide for the process.
Preferably I would like to stick to Javascript/typescript stack and not involve .NET or C#.
The answer is yes, you are missing one step that is generating embed token using access token that you have generated on Postman. Instead of using access token directly to embed your report, you need to use embed token because you are using Service Principal as a method for embedding.
And you also need to provide the type of token to be used for embedding in embed config as following:
var models = window['powerbi-client'].models;
var config = {
type: 'report',
tokenType: models.TokenType.Embed,
accessToken: accessToken,
embedUrl: embedUrl,
id: embedReportId,
settings: {}
};
Since 'service principal' and 'master user' falls under 'Embed for your customers' where embed token must be generated. Whereas, if you want to use only access token, you can use 'Embed for your organization' where user (with pro account) needs to sign-in (if not already) for generating access token.
You can refer this link to understand embedding with Power BI.
There are two type of embedding, you can refer to these links:
Embedding for your organization
Embedding for your customers
You can also refer to this all new sample created on React technology for 'embed for your organization' embed type.