I am trying to make a POST request to the Microsoft Graph Search API endpoint https://graph.microsoft.com/v1.0/search/query using a token obtained from a managed identity with the "Sites.Read.All" permission on the Microsoft Graph API.
However, I am receiving a 401 Unauthorized response. What could be causing this issue?
The problem was in what Oxymoron suggested, "roles" was missing in the bearer token. The solution was to change resource="https://graph.microsoft.com/" to "https://graph.microsoft.com" (without the slash) when requesting the token from the AAD.
Also apparently only delegated permissions work right now on v1.0 Graph Search (Source: https://learn.microsoft.com/en-us/graph/api/search-query?view=graph-rest-1.0).
The request does work in the Beta version:
POST https://graph.microsoft.com/beta/search/query
Content-Type: application/json
{
"requests": [
{
"entityTypes": [
"listItem"
],
"query": {
"queryString": "contoso"
},
"region": "NAM"
}
]
}
Related
I have an ASP.NET Core API hosted in Azure which is to be accessed by several trusted clients. I wish to offer an /auth endpoint which accepts a client_id and client_secret. Response will be an OAuth access token with expiry.
The many examples/tutorials I have found mostly relate to username/password login and full OAuth flow (B2C) which isn't what I'm looking for as the trusted clients have the secret.
I've been looking at Azure API Management which links through to Azure AD for OAuth but I'm thinking this is just complicating things right now.
In the past I have generated and validated JWT bearer tokens using the ASP.NET middleware, but I am sure I should be generating and validating tokens via Azure AD - or am I wrong here?
[expecting to get some down votes for not being explicitly code related, but really need a little bit of advice to get me past this]
I wish to offer an /auth endpoint which accepts a client_id and
client_secret. Response will be an OAuth access token with expiry.
You can use client credential flow. Then you can use this endpoint to get access token.
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret=qWgdYAmab0YSkuL1qKv5bPX
&grant_type=client_credentials
Before doing this, you need to expose application permissions of your application api. The contents of appRoles are as below.
"appRoles": [
{
"allowedMemberTypes": [ "Application" ],
"description": "Accesses the TodoListService-Cert as an application.",
"displayName": "access_as_application",
"id": "ccf784a6-fd0c-45f2-9c08-2f9d162a0628",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "access_as_application"
}
],
I'm able to create app id using Graph API but app secret/password is not generated with it. I need a way to generate/set a password using APIs.
Am I missing something?
You could create the password via Azure AD Graph API, you can test it in the AAD Graph Explorer.
My test sample:
Request URL:
PATCH https://graph.windows.net/{tenant id}/applications/{application object id}?api-version=1.6
Request body:
{
"passwordCredentials": [{
"endDate": "2020-08-12T02:54:44.2530506Z",
"keyId": "77fe4bf5-5d04-4a62-abc2-f064a9213d3f",
"startDate": "2019-08-12T02:54:44.2530506Z",
"customKeyIdentifier": "dGVzdA==",
"value": "XnkNIsT+cScOYeYJayQ4WNmp9tgAqw5z773uI9WQtAw="
}]
}
For more details about the request body, refer to this link - PasswordCredential.
Note: In the AAD Graph Explorer, when you send the request, the progress bar will never finish, but actually it works, you could check the result in the portal -> Azure Active Directory after a while.
Besides, there is also a Beta api in Microsoft Graph - Update application, I have not tested it, so I am not sure if it works. It is a Beta version, even if it works, I don't recommend you to use it in the production environment.
Are you following the correct API link?
Create User
It is easy to create Azure AD users using the Microsoft Graph REST. Here is a code sample for your reference:
POST https://graph.microsoft.com/v1.0/users
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Sajee",
"mailNickname": "Sinna",
"userPrincipalName": "upn-value#tenant-value.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
I created an endpoint for the MIcrosoft Graph Webhook API but for some reason, the validation token returned isn't correct. It shows
Validation: Testing client application reachability for subscription Request-Id:
Any help would be appreciated
{
"resource": "/enpoing",
"httpMethod": "POST",
"queryStringParameters": {
"validationToken": "Validation: Testing client application reachability for subscription Request-Id: 481f1e66-d235-4e98-9205-bfb917760877"
},
"multiValueQueryStringParameters": {
"validationToken": [
"Validation: Testing client application reachability for subscription Request-Id: 481f1e66-d235-4e98-9205-bfb917760877"
]
}
}
As outlined in the documentation your endpoint needs to handle the validation token properly in order to have the subscription created properly.
You can assume your subscription is setup properly only when you get a 201 Created response from the POST request you initially sent.
I setup one iOS app in Azure Portal to integrate with OneDrive for business.
In "Permission to other app" we selected all permission for
- Microsoft Graph
- Office 365 sharepoint online
- Window Azure Active Directory
I run iOS sample code in SDK and it works for almost functions accept for "Share file". Error: 403 "forbidden" UserInfo={error=notAllowed: The feature has been disabled. Please contact your admin to get it enable., NSLocalizedDescription=forbidden}
screenshot
Maybe I missed any configuration somewhere? Could you please advice
Thanks Regards,
Hoang
How did you share the file, create a share link or invite the people? Based on the test, the OneDrive REST API both works well for the creating the share link and invite people. Can you reproduce this issue using the OneDrive REST API?
Here is the OneDrive REST API for your reference.
Share link:
POST https://msdnofficedev-my.sharepoint.com/_api/v2.0/drive/items/01EOIEB3KQBZ74CI7DYBELCRPNZVJKSOUC/action.createLink
Header:
authorization: bearer {token}
Content-Type: application/json
Body:
{
"type": "view"
}
Invite people:
POST https://msdnofficedev-my.sharepoint.com/_api/v2.0/drive/items/01EOIEB3KQBZ74CI7DYBELCRPNZVJKSOUC/action.invite
Header:
authorization: bearer {token}
Content-Type: application/json
Body:
{
"requireSignIn": false,
"sendInvitation": true,
"roles": ["write"],
"recipients": [
{ "email": "user1#msdnofficedev.onmicrosoft.com" }
],
"message": "Here's the document I was talking about yesterday."
}
And you can refer to the link below to get the Access token:
https://dev.onedrive.com/auth/aad_oauth.htm
I'm trying to use Project Server 2013 REST APIs with Windows Azure access tokens but getting GeneralSecurityAccessDenied error.
I have register my app in Azure AD on the Management Portal to get client_id, redirectUri.
The permissions to the application are “Office 365 SharePoint Online” and “Windows Azure Active Directory”.
I’m calling the authorization endpoint in the following URL, is this correct?
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id= &redirect_uri=&resource=https://.sharepoint.com
Then I’m calling token endpoint URL
https://login.windows.net/common/oauth2/token with the following parameters
grant_type is authorization_code
code is “Access Code Returned from the first call”
redirect_uri is <MY URL>
resource is https://<mytestdomain>.sharepoint.com
This gives me Access Token and Refresh Token, but when I use the Access Token to do something it gives me the error “GeneralSecurityAccessDenied”
My POST request is
https:// <mytestdomain>.sharepoint.com/sites/pwa/_api/ProjectServer/Projects/Add
Authorization is Bearer <Access Token>
Content-Type is application/json;odata=verbose
The request body is
{
'parameters' : {
'Name':My Test ',
'Description': Test Project',
'Start':'1/28/2015'
}
}
The Error response is follows.
{
"error": {
"code": "20010, Microsoft.ProjectServer.PJClientCallableException",
"message": {
"lang": "en-US",
"value": "GeneralSecurityAccessDenied"
}
}
}