When I make requests to the Microsoft Graph API's invite endpoint to create secure (email-based) sharing links for a specific collection of emails that are external to our organization, the response does not contain the requested sharing link for certain email addresses. When I look at the SharePoint site UI to see how the permissions are listed for the item, the email address with issue (RealEmail) shows up differently from the one that does return a sharing link through the API (TestEmail). Both RealEmail and TestEmail are marked as external users, but it seems that the RealEmail external user is recognized as an actual external or guest user account, rather than just being an email unknown to SharePoint, like TestEmail.
Here's the request I made on Microsoft Graph Explorer:
POST https://graph.microsoft.com/v1.0/sites/{site-id}/drives/{drive-id}/items/{item-id}/invite
{
"requireSignIn": true,
"sendInvitation": false,
"roles": [
"read"
],
"recipients": [
{
"email": "RealEmail#example.com"
},
{
"email": "TestEmail#example.com"
}
]
}
And this was the response (with real data removed):
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(permission)",
"value": [
{
"#odata.type": "#microsoft.graph.permission",
"id": "removed",
"roles": [
"read"
],
"grantedTo": {
"user": {
"email": "RealEmail#example.com",
"id": "removed",
"displayName": "RealFirstName RealLastName"
}
}
},
{
"#odata.type": "#microsoft.graph.permission",
"roles": [
"read"
],
"grantedToIdentities": [
{
"user": {
"email": "TestEmail#example.com"
}
}
],
"invitation": {
"signInRequired": true
},
"link": {
"type": "view",
"webUrl": "removed"
}
}
]
}
This is what the Manage Access UI looks like (with real data removed)
Related
I can't see any docs about this, only for User and Groups.
The target app has Users with PermissionSets which grants permissions (obviously), with an Schema like this:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "5ac6643a62513c08d6c21516",
"userName": "foo.bar#myapp.com",
"name": {
"givenName": "Foo",
"familyName": "Bar"
},
"emails": [
{
"primary": true,
"type": "work",
"value": "foo.bar#myapp.com"
}
],
"UserType": "user",
"PermissionSets": [
"5aff2aa36c3b5ea72975db35"
],
"active": false,
"meta": {
"resourceType": "User"
}
}
I want to grant them using Multi-Value list Parameter with rules. Does it mean I need /PermissionSets API endpoint which PUTs and GETs the PermissionSet to the user? Because I can't see any PermissionSet when I try to setup the parameter.
Many thanks in advance.
I followed this example https://learn.microsoft.com/en-us/microsoftteams/platform/sbs-calling-and-meeting
These are the steps I have done.
Registered an App in Azure using demo tenant
Created a policy for a demo tenant user for creating the online meeting on behalf of that user.
Added following Graph API Applications permissions to my Azure App
CallRecords.Read.All
Calls.Initiate.All
Calls.AccessMedia.All
Calls.InitiateGroupCall.All
Calls.JoinGroupCall.All
OnlineMeetings.ReadWrite.All
OnlineMeetings.Read.All
Calls.JoinGroupCallAsGuest.All
Granted Admin consent for the above permissions
For Bot
Created a Bot Channel Registeration in Azure account which have
subscription enabled.
While registering the bot, used https://<my_ngrok_url>/api/messages as the messaging endpoint.
Enabled the Teams Channel. Provided App-Name, Resource Group and
other required information I did Select the Calling tab on the Teams
channel page.
Select Enable calling, and then updated the Webhook
(for calling) with (https://yourNgrok/callback.
I am receiving the notifications.So this part works.
For bot my manifest is
{
"$schema": "https://github.com/OfficeDev/microsoft-teams-app-schema/blob/preview/DevPreview/MicrosoftTeams.schema.json",
"manifestVersion": "devPreview",
"version": "1.0.0",
"id": "<<app-id>>",
"packageName": "com.acs.sample",
"developer": {
"name": "Contoso",
"websiteUrl": "https://example.azurewebsites.net",
"privacyUrl": "https://teams.microsoft.com",
"termsOfUseUrl": "https://teams.microsoft.com"
},
"icons": {
"color": "color.png",
"outline": "outline.png"
},
"name": {
"short": "Calling bot",
"full": "Calling bot"
},
"description": {
"short": "Calling bot",
"full": "Calling bot"
},
"accentColor": "#FFFFFF",
"bots": [
{
"botId": "<<app-id>>",
"scopes": [ "personal", "team", "groupchat" ],
"supportsFiles": false,
"isNotificationOnly": false,
"supportsCalling": true,
"supportsVideo": true
}
],
"permissions": [ "identity", "messageTeamMembers" ],
"validDomains": [ "*.ngrok.io" ]
}
Installed Calling Bot in Teams
Installed without any error. I can make calls from the bot and see the notifications on my calling endpoints. One strange behavior I noticed, Its message text-box becomes disabled after a while but I can still make call from the bot.
Now I want to make call to a user from an endpoint.
From my python code. I used this code to get access token.
def getToken():
url = "https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token"
type = 'post'
data={
"client_id": 'client_id',
"client_secret": 'client_secret',
"scope": 'https://graph.microsoft.com/.default',
"grant_type": 'client_credentials',
}
resp = requests.request(
method = type,
url = url,
data = data
)
resp_data = resp.json()
return resp_data['access_token'];
This access token is correct because I used the token to get users list etc using graph api to see if I can use the api or not.
Then using this token I call calls endpoint
def call_user():
accessToken = getToken();
url = "https://graph.microsoft.com/beta/communications/calls"
type = 'post'
data={
"#odata.type": "#microsoft.graph.call",
"callbackUri": "https://my_ngrok_url/call",
"targets": [
{
"#odata.type": "#microsoft.graph.invitationParticipantInfo",
"identity": {
"#odata.type": "#microsoft.graph.identitySet",
"user": {
"#odata.type": "#microsoft.graph.identity",
"displayName": "John",
"id": "user_id_to_whom_i_want_to_call"
}
}
}
],
"requestedModalities": [
"audio"
],
"mediaConfig": {
"#odata.type": "#microsoft.graph.serviceHostedMediaConfig"
}
}
resp = requests.request(
method = type,
url = url,
data = data,
headers={"Authorization": "Bearer " + accessToken},
)
resp_data = resp.json()
return resp_data
It gives internal server error as response. Please help what i am doing wrong.
I have a with yeoman teams scaffolded tab in which I ask for adminconsent for application permission.
On a Go backend I then use the code to retrieve the access token. I am also getting all Users of the team.
Although I am using only application permissions, I can not send notifications to the admin account. When trying to send notifications to other accounts, the Graph API returns a 204 Status Code but the activity feed of the recipient stays empty.
The application has following application permissions (with granted admin consent):
ChannelMember.ReadAll
GroupMember.ReadAll
Team.ReadBasic.All
TeamMember.Read.All
TeamsActivity.Send
This is the Manifest file with version 1.11:
{
"manifestVersion": "1.11",
"id": "{{APPLICATION_ID}}",
"version": "{{VERSION}}",
"permissions": [
"identity",
"messageTeamMembers"
],
"webApplicationInfo": {
"id": "{{APPLICATION_ID}}",
"resource": "api://{{DOMAIN}}.{{APPLICATION_ID}}"
},
"devicePermissions": [
"notifications"
],
"activities": {
"activityTypes": [
{
"type": "newActivity",
"description": "A new Activity Description"
}
]
}
}
The HTTP POST request to: https://graph.microsoft.com/v1.0/teams/{teamID}/sendNotification
The JSON Body:
{
"topic": {
"source": "entityUrl",
"value": "https://graph.microsoft.com/v1.0/teams/%s"
},
"activityType": "newActivity",
"previewText": {
"content": "A new Activity Description"
},
"recipient": {
"odata.type": "microsoft.graph.aadUserNotificationRecipient",
"userId": "{{USER_ID}}"
}
}
The recipient is also Member of the channel the activity is referring to. I also made sure that the recipient can receive notifications.
I have the Azure AD users that are synced from my on-premises AD.
When I updated the user's properties (such as displayName, department, and so on), some users succeeded in updating, but some users failed to update.
In Azure AD, the audit logs of the update successful user and the failed user are as follows.
////////////////// update success user
{
"id": "Directory_xxxxxxx_112926480",
"category": "UserManagement",
"correlationId": "xxxxx",
"result": "success",
"resultReason": "",
"activityDisplayName": "Update user",
"activityDateTime": "2022-02-07T07:03:44.6467812Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"initiatedBy": {
"user": null,
"app": {
"appId": null,
"displayName": "xxxx",
"servicePrincipalId": "xxxx",
"servicePrincipalName": null
}
},
"targetResources": [
{
"id": "xxxx",
"displayName": null,
"type": "User",
"userPrincipalName": "xxxx#xxxx",
"groupType": null,
"modifiedProperties": [
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"\""
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
]
}
],
"additionalDetails": [
{
"key": "UserType",
"value": "Member"
},
{
"key": "User-Agent",
"value": "Apache CXF 3.2.14"
}
]
},
////////////////// update fail user
{
"id": "Directory_xxxx_118537500",
"category": "UserManagement",
"correlationId": "xxxx",
"result": "failure",
"resultReason": "Microsoft.Online.Workflows.PropertyUpdateNotAllowedException",
"activityDisplayName": "Update user",
"activityDateTime": "2022-02-07T07:03:04.9716261Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"initiatedBy": {
"user": null,
"app": {
"appId": null,
"displayName": "xxxx",
"servicePrincipalId": "xxxx",
"servicePrincipalName": null
}
},
"targetResources": [
{
"id": "xxxx",
"displayName": null,
"type": "User",
"userPrincipalName": "xxxx#xxx",
"groupType": null,
"modifiedProperties": [
{
"displayName": "MethodExecutionResult.",
"oldValue": null,
"newValue": "\"Microsoft.Online.Workflows.PropertyUpdateNotAllowedException\""
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
]
}
],
"additionalDetails": [
{
"key": "UserType",
"value": "Member"
},
{
"key": "User-Agent",
"value": "Apache CXF 3.2.14"
}
]
},
Could you tell why the results are so different?
Any help would be appreciated.
Some user details are failed to update because of the error:
Microsoft.Online.Workflows.PropertyUpdateNotAllowedException
The above error usually occurs for many reasons like:
There may be some attributes that violate formatting requirements which restrict characters and character length of attribute values.
The attributes that require unique values may have duplicate attribute values in existing user account (on-prem AD).
May be the user principal name (UPN) was changed after the initial synchronization and must be updated manually.
Some attributes may match exclusion rules for directory synchronization.
The domain value that's used by AD DS attributes hasn't been verified.
To resolve this error, please check the below workarounds if they are helpful:
Use the IdFix DirSync Error Remediation Tool to check for duplicates, missing attributes, and rule violations.
Update AD DS attributes to remove duplicates, rule violations, and scoping exclusions.
Make sure the user properties can’t contain accent characters and the size of displayName, department etc… are under the maximum limits.
For more information in detail, go through below references.
References:
One or more objects don't sync when the Azure Active Directory Sync tool is used - Active Directory | Microsoft Docs
Troubleshoot directory synchronization errors with event 6941 - Office 365 | Microsoft Docs
When adding/updating AAD user with ARM template/resources.explorer, why does a Basic user also get created?
This is the payload:
{
"apiVersion": "2017-03-01",
"type": "users",
"name": "user1",
"properties": {
"firstName": "FirstName",
"lastName": "LastName",
"email": "[parameters('user1Email')]",
"state": "active",
"identities": [
{
"provider": "Aad",
"id": "[parameters('user1UserId')]"
}
]
}
}
As you can see i do not include the
{
"provider": "Basic",
"id": "basic.userg#basic.com"
}
I don't want to create Basic Auth, I only want Azure AD.
When creating AD user from the developer portal we don't get this behaviour, but with ARM it also creates Basic.
The only way I see at the moment is to do a second PATCH (!) request with same payload but no Basic identity.