I'm trying to use Google API to invite managers to my business profile account
My role is "OWNER" and I try to invite someone by email
I used OAuth playground tool to achieve that.
scope: https://www.googleapis.com/auth/business.manage
method: POST
URL: https://mybusinessaccountmanagement.googleapis.com/v1/accounts/108463676430689610134/admins
request body:
{
"role": "MANAGER",
"admin": "mina.zakaria.zakher#gmail.com"
}
response body
{
"error": {
"status": "PERMISSION_DENIED",
"message": "The caller does not have permission",
"code": 403
}
}
I don't know why permission denied while I could add the same email using dashboard? any help?
Inviting others as admins is only supported for accounts that are not of AccountType PERSONAL.
Personal account:
Location group account (where a user could invite others via the group settings capability):
Related
I am trying to get the list of chrome devices registered with the specified customer Id.
I have done the following Steps.
Enabled Google Admin Directory API
Created Service Account and downloaded the jwt.json file for
connectivity.
Enabled the Domain wide G-Suite Delegation previlige.
Registered this client id as authorized API client Thru Google
Admin(Manage API client access)
Client Id : our clientid
API Scope: View and manage your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos View your Chrome OS devices' metadata https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly
Next I used my Node module to Generate the JWT access
Token is created Successfully.
{"access_token":"ya29.c.KpEB****K*********lufaGlx5k********hvAdADxBhOA****8R3rnTPKKnVb97sdPFG66wHy4FPrnx6KskafKXrBBfEgILdDelP-n5irpKm5h8y8oBWHO*******Xg","token_type":"Bearer","expiry_date":1587150649000,"refresh_token":"jwt-placeholder"}
Now i am trying to use this Bearer toke to access the following API
https://www.googleapis.com/admin/directory/v1/customer/ourcustomerid/devices/chromeos
This is always giving the following error.
{
"error": {
"errors": [{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Not sure what is the issue.
Its working after adding Impersonated users email address... Originally it was
const jwtAuth = new google.auth.JWT(
quickstart.client_email,
null,
quickstart.private_key,
[
'https://www.googleapis.com/auth/admin.directory.device.chromeos',
'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
]
);
Then I have added the subject as impersonated users email address.
const jwtAuth = new google.auth.JWT(
quickstart.client_email,
null,
quickstart.private_key,
[
'https://www.googleapis.com/auth/admin.directory.device.chromeos',
'https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly'
],
'email address of the impersonated user',
);
I am trying to add custom properties to User object using graph.microsoft.com. I chose schema extensions for that, but the POST request to https://graph.microsoft.com/v1.0/schemaExtensions returns Authorization_RequestDenied.
First, I checked the permissions via the Azure CLI (the id is my app id):
az ad app permission list-grants --id 229e9b3d-5a17-4a46-930a-60e8ca114027 --show-resource-name
For Microsoft Graph, there are many permissions, but as I understand it, I should need only User.ReadWrite.All and Directory.AccessAsUser.All which are there.
Then I used Insomnia (to check functionality without coding problems) and call POST https://graph.microsoft.com/v1.0/schemaExtensions with JSON body:
{
"id": "extTest",
"description": "test extension",
"targetTypes": [
"User"
],
"properties": [
{
"name" : "isAvailable",
"type" : "Boolean"
}
]
}
and the returned response is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d5c1e7b3-f1c5-44c0-917d-5e43d7483bdf",
"date": "2019-06-10T13:44:36"
}
}
}
Is there something I missed?
It seems that your access token didn't have Directory.AccessAsUser.All permission. You can decode it by using https://jwt.io/ and check if this permission exists in 'scp'.
I have tested it on my side and it works. Here are my main steps.
1.add Directory.AccessAsUser.All permission to your app and click grant admin consent button.
2.get access token by using auth code grant flow. You can not use client credential grant flow here since you must sign in with a user.
I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I have
Directory.ReadWrite.All User.ReadWrite.All (delegated) and
User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.
PATCH https://graph.microsoft.com/v1.0/users/principalname#blah.in
Content-type: application/json
Authorization: bearer TOKEN
{
"passwordProfile":
{
"forceChangePasswordNextSignIn":false,
"password": "XXXXXXXXX"
}
}
When I execute this I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
"date": "2019-05-10T05:13:19"
}
} }
I am unable to understand why I am getting this error because all permissions are given for the user.
I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.
Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.
See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.
I am trying to have access to information in "/me" with Graph API for a personal account using Azure AD v2.0 but I receive the following error. It works with organizational accounts.
{
"error": {
"code": "UnknownError",
"message": "{\"Status\":500,\"Message\":\"All the offeractions povided in the property bag cannot be validated for the token.\\u000d\\u000a\"}",
"innerError": {
"request-id": "39e23062-80ad-4872-86a7-39f5a5d928ce",
"date": "2017-02-23T15:35:06"
}
}
}
I have the permission User.ReadBasic.All
The scope User.ReadBasic.All grant the permission to read the basic profile of all users in the organization on behalf of the signed-in user. This scope is t only supported for the Azure AD Account. If you just want to read the user’s profile for the Microsoft Account, you could use the scope User.Read . Code flow steps below is for your reference :
Get the authorization code :
Get : https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=<client id>&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
Then get the token :
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=<code>&state=af0ifjsldkj&redirect_uri=http%3A%2F%2Flocalhost%3A16468%2F&client_id=<client id>&client_secret=<client secret>