I am trying to understand Microsoft Graph APIs but I found them kind of confusing. There's an excel file that is shared with me on OneDrive. I want to download it using Microsoft Graphs. I was able to generate the app and set up its configurations and permissions so that I can send a request and get an authorization token that I can use to send requests.
However, I have a couple problems, even in Graph Explorer, which I use as my account, not as the app.
To find out the file Id that is shared with me, I used the "files shared with me" API that is under OneDrive. (https://graph.microsoft.com/v1.0/me/insights/shared)
I copied the id that I get from there and used it in "worksheets in a workbook" API under Excel category. https://graph.microsoft.com/v1.0/me/drive/items/{drive-item-id}/workbook/worksheets)
However I got Item Not found error. The problem is, even though I can see it on oneDrive as a shared object I can't seem to open it using the second API.
How can I download the Excel file that is shared with me through OneDrive? Which API should I use? The app that will send the requests is a standalone app that will send the requests without human authorization. I don't know the correct terminology here but Microsoft doesn't allow it to have a /me request, it gets "/me request is only valid with delegated authentication flow.", therefore I probably need someway for app to see that oneDrive link. But I was unable to find a working way.
The error message "/me request is only valid with delegated authentication flow." means what it says. There are two main ways to authenicate a application with the graph API. Application authenication and On behalf of user authencitation. So the error message is telling you that you are using the application authenication and the API path /me is only accessable with On behalf of user authencitation (e.g. delegated authentication). This makes sense because when using the application authenication who is me?
The API endpoints says what authentication types they support. If you take the worksheets API it says under permissions section:
Permission type - Permissions (from least to most privileged)
Delegated (work or school account) - Files.ReadWrite
Delegated (personal Microsoft account) - Not supported.
Application - Not supported.
Which is telling us that Application and Delegated for personal Microsoft accounts are not supported and that Delegated for work/school accounts requires the Files.ReadWrite permission.
To download the drive item you can use the download item API.
This supports both Application and Delgated permissions. For Application permisions you will not be able to use the /me path though. You will most likely have to use something like:
/users/{userId}/drive/items/{item-id}/content
I am assuming your file is stored in a work account one drive storage and not in one of the other storage places (AD group, etc).
Related
This seems like it should be incredibly easy. But here I am on day 3 of reading blogs and watching youtube videos from India. Is this just not possible?
I have a LogicApp that has a system assigned identity. I used Powershell to create an identity in Exchange online based off of this identity and give the "Send As" permission to a shared mailbox. That part is done and I didn't get any errors and we've done the same thing for "actual code" projects that use "App Registrations" and the Microsoft.Graph library to send emails so I'm fairly confident it works.
I can't use an O365 connector in the LogicApp because that needs a user to login and create the connection. Then I'd have to give myself rights to "Send As" this mailbox which I don't want to do and seems like a terrible practice because one day I might leave the company, probably by stroke, but still my account might one day be gone.
Using the Microsoft Graph explorer and some documentation I can see that mail can be sent using the graph in what seems like a pretty straight forward way. I've verified, using the graph explorer that I can send mail as myself using that API.
Can I send email as a shared mailbox via the Microsoft Graph API using an Azure LogicApp? Even if I need to create an App Registration to do it, that's fine. I don't know how to tell the API to send send an email using a system assigned identity.
I agree with #Skin, you can use service account for authentication instead of user login.
I would suggest you to follow below steps, it may helps in achieving your requirement.
Create app registration for the logic app in active directory.
Use system managed identity as authentication for graph api.
Refer this link for managed identity for graph API.
Grant system-assigned identity of logic app as Send AS permission for shared mailbox.
In logic app send email action, use shared mailbox address
I don't know how to tell the API to send send an email using a system assigned identity.
There is no need to specify the system-assigned identity in the API call. When you use a system-assigned managed identity as authenticate with the Microsoft Graph API in your Logic App Http action, the identity is automatically passed to the API as part of the authentication process.
As shown in below image you can on System assigned identity in logic App.
Then in Http action take Post as method and mention Graph Api's URL and take managed identity as Authentication.
For me it is no more possible (by default) to send email with a shared email box, you have to use the same email than the one used to authenticate the account.
I have an azure AD registered application. With delegated permissions of a user with AllSites.FullControl, I'm able to get drive/root/delta in Graph API.
Problems I'm having making the delta calls as the delegated user are:
the deltas are not consistent. Sometimes I get results back after changing the permissions of a file/folder, sometimes I don't
Despite that I'm passing in these Prefer headers deltashowsharingchanges, deltashowremovedasdeleted, deltatraversepermissiongaps, I'm not getting back #microsoft.graph.sharedChanged in the response.
The above issues are my primary questions.
Grasping at straws here, but please let me know if I would have better luck with an app-only authentication. If so, how to get it set up with my existing Azure AD registered application, without access to Powershell or Windows (e.g. if I need to use a certificate instead of client_id/client_secret, as there is conflicting information about this, and only instructions on how to get it done with Powershell). I've already started to try to test this, but have not successfully found information on how to get this working in a multi-tenant use-case, wherein I'm trying to access the Sharepoint of an outside tenant from an Azure AD registered app-only authenticated application. All existing instructions I've seen thus far are not multi-tenant and grant themselves permissions in their own Azure AD portal.
It turned out that indeed, using app-only client credentials authentication was necessary to get #microsoft.graph.sharedChanged in the response, though this is not documented anywhere. In addition, deltas are being returned consistently now. Presumably, Microsoft is doing something to try to return only deltas relevant to the delegated user, although that is not enough in my opinion to explain for the lack of deltas in some cases. Nevertheless, I'm getting the response I need using app-only client credentials.
Regarding use of certificate -- it was not necessary if accessing my own tenant where the app is registered, but if accessing a 3rd party tenant, a certificate was required instead of client_secret.
I have a Personal OneDrive Account Purchased (not Free Tier).
What am I trying to do ?
To write a Daemon in Python that will connect to OneDrive Personal Account Folders and upload / show contents.
What did I tried doing ?
I learned Microsoft Graph is the way to go to access all personal business accounts.
So I signed in with Azure (Free) Portal with my OneDrive Credentials myname#yandex.com , after signing in it created a Azure Default Directory with mynameyan...#onmicrosoft.com as principal user.
Followed Tutorial and created App under App Registration granted it all the Permissions and Also admin Consent through the portal and generated Client Secret and Downloaded the sample code from QuickStart under Portal->Azure Directory-> App Reg..
Ran it on my computer with just one change in the code. After getting the Access Token , I changed the Graph Endpoint to /me/drives/root and I got a "Tenant does not have SPO License" , also I noticed when I change the graph endpoint to /users it yields me mynameyan..#onmicrosoft.com as principal account name. When I expect myname#yandex.com
So in graph Explorer I tried and it yields me proper principal account name as myname#yandex.com also lists all the onedrive personal files as expected.
Problem ?
I cannot authenticate myself properly , since my application will be a Daemon I can't present myself a Login Page with redirect URLs so "Code Flow" type of Acquiring Authentication Token for Personal Accounts will not work for me as mentioned in the Tutorials.
Also if I forcefully query /me it says "Please use consumer endpoint" if I change the Authentication Endpoint it says invalid Client ID and Credentials (Because I think that onmicrosoft.com principal name cannot be used to query OneDrive Personal which belongs to myname#yandex.com )
What do I request ?
An idea of how would others implement this daemon with brief if not detailed steps of configuration in Azure and Code , if possible a Sample code and an Algorithm.
I am new bla bla....hehe , actually I am new to Azure and is also using OAuth First Time. Thanks in advance. I will edit the question if someone needs more information on this to help me.
You cannot use daemon to access personal account OneDrive files.
Daemon app will use Application permission (without user) to do the operation.
But based on the Microsoft Graph Get Files Permissions, Only Delegated permission is supported for personal Microsoft account. And Delegated Permission means app + user permission.
Currently you have to implement Get access on behalf of a user and use auth code flow to access personal account OneDrive files with Microsoft Graph API.
I am diving into the Microsoft Graph API and want to use its features to interact with an Excel workbook. I intend to create a client side application that interfaces with my API which in turn interfaces with Microsoft Graph API.
I ran into some confusion with the Microsoft Graph permission documentation. When sifting through the Excel API documentation, I saw that in order to Update Range or Get Worksheet (or really any endpoint) I need to have Delegated (work or school account) permission. I then looked at the Graph permission doc mentioned above and it says:
Delegated permissions are used by apps that have a signed-in user present. For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
To me, this reads "a user must login using oauth to interact with a workbook via the API". I'm hoping that is not the case, because I want to have the workbook data publicly available and to have read/write permission. I understand I will have to authenticate some (admin) user within my organization in order to retrieve/update a workbook (via the Graph API) stored in OneDrive, for example, but I just wanted to see the requirements for accessing the workbook.
Looks like you intend to use Excel workbook as a central source data rather than an individual user based store. In that case you can access API without a user sign-in by using application level consent. See here. Client "app" will call into a server (such as nodeJs) and that in-turn will make API calls to Microsoft Graph to interact with Excel workbook. This server-to-Graph call is abstracted from the client app and hence secure.
The downside of this approach is that you'll need server implementation and you can't implement single page application that doesn't require server side implementation. It is not a big hurdle - just takes different set-up.
I would like to create an application where the users could access to all my data in Google Drive.
I have implemented a 2-legged OAuth to obtain all the data from Google Drive with my server app with no user authorization. The server can obtain all the data with the 2-legged OAuth.
The problem arrives when using, for example, the link of a drive document, the users connected to my app cannot access it due to they have no permissions.
I would like to know if it is mandatory give them permissions to access the files or maybe there is another service provided by google to have a comun storage for all the users without get the authorization or permissions for every single user.
I would like to know to if it is posible to use the Drive interface to show the users the documents.
There are actually three ways to access Google data.
Api key used to access public data.
Oauth2 used to access private data. Prompts for user to give permissions to access data and grants a refresh token.
Service accounts. Service accounts are preauthorized. there is no prompt to request a user permission to access the data.
I am not exactly sure what you mean by 2-legged Oauth. It sounds like you are talking about a service. You can grant the service account access to your personal drive account by sharing one or more folders with it. Note: I am not sure if you can share the root folder or not.
When you wish to allow one of your users to access a file you should have the service account add the user as reader of the file then they will have access. this can be done by inserting permissions.
Note. I am not a Node.js developer and I am not sure that service accounts are supported by Node.Js you may have to switch to a server sided language I don't know enough about it.
I do have a blog post that explains service accounts in more detail.