I am trying to upload document to OneDrive through my application. When i am trying to login Onedrive i am getting below error message.
(1002144-A1) Onedrive upload failed with exception:
Code: Request_ResourceNotFound
Message: Resource 'demo#domain.com' does not exist or one of its queried reference-property objects are not present.
My application is a multitenant application. Can anyone have an idea about this issue.
• You are getting this error because the required scopes and the permissions for the Azure AD app registration are not correct as well as there might be query formatting errors in your ‘Onedrive’ request from your application. For that purpose, kindly ensure the below settings are configured aptly in your application: -
a) Client ID and Key (client secret) as registered with Azure Active Directory (AAD)
b) Authorization code received from OAuth 2 authorization code flow
c) OneDrive for Business API endpoint URL
d) Access token for the OneDrive for Business resource
e) Refresh token to generate additional access tokens when the current token expires.
Thus, follow the steps as shown in the manner as above. Kindly get an authorization code as below: -
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={client_id}&scope={scope}&response_type=code&redirect_uri={redirect_uri}
Then ensure to redeem the code for access tokens as below upon successful authentication and authorization wherein the response will be as below: -
Response: -
https://myapp.com/auth-redirect?code=df6aa589-1080-b241-b410-c4dff65dbf7c
Redeem the code for access tokens as below: -
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code
Then, further get a new access token or refresh token as below wherein the response should be as follows: -
Refresh token redemption: -
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&refresh_token={refresh_token}&grant_type=refresh_token
Response: -
{
"token_type":"bearer",
"expires_in": 3600,
"scope": "wl.basic onedrive.readwrite wl.offline_access",
"access_token":"EwCo...AA==",
"refresh_token":"eyJh...9323"
}
As you can see above, upon successful authentication via Microsoft Graph as the orchestrator, you get the refresh token, access token and the valid scopes for it too. Also, please find the below snapshot which shows the scopes required for this: -
Also, do ensure that the application as an entity exists in the Azure AD app registration for the authentication to Onedrive API to happen as below: -
For more detailed information, kindly refer the below links: -
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online
https://github.com/microsoftgraph/microsoft-graph-docs/issues/3539
Related
I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.
As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls.
I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/.
I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/
Any idea how to solve this Insufficient permission issue?
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permissions as below:
Now I generated access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:client_credentials
client_secret:secret
scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default
Response:
When I used the above token to get files with both URLs, I got same error as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Bearer <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Bearer <token>
With the same token, I'm able to call all other APIs like alerts, activities etc. like below:
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
Authorization: Bearer <token>
Note that, calling file APIs is not available in application
context.
Alternatively, you can make use of Legacy Method by generating one API token like below:
Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token
Now, enter Token name and select Generate as below:
API token will be generated successfully and copy the token to use in Postman:
When I used the above API token to call files API with both URLs, I got response successfully as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Token <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Token <token>
You can try the same in your environment by generating API token instead of Bearer token to call Files API.
Reference:
Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I'm trying to integrate the MS Teams API in a Web-App.
First of all i was trying to use the MS API from Postman to see the workflow.
On the Azure UI i have succesfully created an App-Registration: i have my ClientID, TenantID and i have created also the client secret.
I downloaded the Postman API from https://github.com/microsoftgraph/microsoftgraph-postman-collections and i can retrieve the App-Only Access token.
I created two users in a group and i logged them on MS Teams Application, they can chat.
I can also get the User Access Token and endpoints such
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/me
etc..
are correctly working.
I am passing the User Access Token as Bearer token for the request.
These are the API permissions i gave:
I am having issues with the endpoints in the folder Events like:
https://graph.microsoft.com/beta/me/findRooms
https://graph.microsoft.com/v1.0/me/calendars
etc..
They all give the same error:
{
"error":{
"code":"NoUserFoundWithGivenClaims",
"message":"The user specified by the user-context in the token does not exist.",
"innerError":{
"oAuthEventOperationId":"08e3abc3-3fdf-4d85-849d-7632ac0723d2",
"oAuthEventcV":"CGW24oLIeEW1qoscgMIMTw.1.1",
"errorUrl":"https://aka.ms/autherrors#error-InvalidUser",
"requestId":"8e6cb242-17fe-4a94-8c89-912606578fb3",
"date":"2021-03-09T12:04:27"
}
}
}
I haven't found anything about this error.
Can someone help me?
Thanks.
You can check your bearer token by putting it in jwt.ms and see if you have the required permissions in 'scp' claim.
If you are getting MailboxNotEnabledForRESTAPI then you need to check if you have the proper exchange license or not.
You can add license by going into Microsoft Admin Center -> Users -> Active Users -> Select your user -> Licenses
I am using Microsoft Graph Postman Collections to test common Microsoft Graph APIs from within Postman. However, I am stuck while trying to fetch user access token
Below is the request
POST /7c69806f-5754-488f-9dd8-7daa8afea4fd/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
cache-control: no-cache
Postman-Token: ac512133-5afe-47a3-ae9b-3b6c0b510ebd
grant_type=passwordclient_id=ebbe4872-5b7187-de6d6ddf7301client_secret=g99p8DWoxdUPY-%3F%40%5Bv7kt2g4BMxGscope=https%3A%2F%2Fgraph.microsoft.com%2F.defaultuserName=rohitdhamijagmail.onmicrosoft.compassword=Zcost%4080
On trying "Fetch user access token" POST API, I get following error:
{
"error": "invalid_grant",
"error_description": "AADSTS50034: The user account rohitdhamijagmail.onmicrosoft.com does not exist in the 7c69806f-5754-488f-9dd8-7daa8afea4fd directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: c0e97dd8-053d-4c99-81e4-354d7ae7d500\r\nCorrelation ID: 7e67450e-3054-48bc-b808-2f6277093dac\r\nTimestamp: 2020-03-03 09:38:09Z",
"error_codes": [
50034
],
"timestamp": "2020-03-03 09:38:09Z",
"trace_id": "c0e97dd8-053d-4c99-81e4-354d7ae7d500",
"correlation_id": "7e67450e-3054-48bc-b808-2f6277093dac",
"error_uri": "https://login.microsoftonline.com/error?code=50034"
}
The user account does show under my tenant in Azure , below is the image attached
What can be the issue?
Note: I have configured the global environments properly, since I am able to use other API's like Get User info etc.
Your Request Should be Like this.
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
client_id:b603c7be_Client_id_e61f925
scope:https://graph.microsoft.com/.default
client_secret:NpmwO/KDJ_client_secret:NpmwO_W0kWf1SbnL
username:tenentUser.onmicrosoft.com
password:YourUserPassword
grant_type:password
See the screen shot:
I am getting token as expected
Step: 1
Step: 2
Step: 3
Note:
Make sure your user belong to azure portal on your tenant
Your Client Id belongs to that tenant
Application secret is valid or not expired.
Update: How to get Tenant Id
For more information you could refer Official document
Hope that would help.
I tried the same and it worked for me without any issue, couple of points that can be looked at are,
Either the app must be registered under same active directory OR it has multi-tenant enabled like below, Authentication
The app should have following permissions, Permissions
I just updated user name and password in postman call and my account is also on yourdomainhere.onmicrosoft.com Postman
I'm trying do develop an application that makes use of the Power BI API.
The problem is, even though I have a valid authentication token, every API endpoint I tried to access so far returns a 403 (Forbidden) Http status with no content on the response body.
I think the token I'm getting is valid because when I try to use the same token the next day it gives me a "Token expired message".
I'm using a corporative Azure Active Directory account where I'm not an administrator. But I have full access to the Power BI workspaces and Reports on it's web interface.
I'm currently authenticating with Azure AD Oatuh2 v1 but I also tryed v2 with no success (I'm still using v1 because on v2 I'm not sure my scope and resource parameters are right).
Here are the requests I'm sending:
GET
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=<my client id>
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&response_mode=query
get the authorization code on the redirect at localhost:8080/azureLogin/authorize then
POST https://login.microsoftonline.com/{tenant}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<my client id>
&code=<the code I just got>
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&client_secret=<my client secret>
As "tenant" I tried both "common" and my organization id.
But when I try to access https://api.powerbi.com/v1.0/myorg/reports with the Authorization: Bearer <token> header. I get a 403 Forbiden response.
On Azure AD I can see my user has given all permissions to this application I registered.
Am I missing something? How can I solve that?
To make the answer visible to others, I'm summarizing the answer shared in comment:
You missed the resource parameter, you are access powerbi, so it should be
resource: https://analysis.windows.net/powerbi/api
The resource is app ID URI of the target web API (secured resource). It may also be an external resource like https://graph.microsoft.com, https://analysis.windows.net/powerbi/api etc. This is required in one of either the authorization or token requests.