I am trying to change M365 Group email alias [Nickname] with use of Graph API.
Below HTTP call returns 204 [as expected]. Group email stays the same :? I have waited several hours.
I am able to change other group properties [description, display name etc.] with this call
{
"inputs": {
"method": "PATCH",
"uri": "https://graph.microsoft.com/v1.0/groups/GROUPID",
"headers": {
"Content-type": "application/json"
},
"body": {
"mailNickname": "_Display12345"
},
"authentication": {
"audience": "https://graph.microsoft.com",
"clientId": "",
"secret": "",
"tenant": "",
"type": "ActiveDirectoryOAuth"
}
}
}
This might be due to insufficient permissions. Make sure you are allowing the permission according to your account type from Update group - MSFT Docs.
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Group.ReadWrite.All, Directory.ReadWrite.All
Now try making the required changes to your attributes (i.e., mailNickname in your case).
To make sure this is working try fetching the details of your group which gives the response with updated attributes.
GET https://graph.microsoft.com/v1.0/groups/<GroupId>
REFERENCES: Get group - MSFT Docs
I have repro the issue the API is working fine and I am able to update the alias [Nickname]
can you please try this in Graph explorer and see if it works.
Related
We're using Microsoft Graph API v1.0 to manage user permissions of folders stored on SharePoint. We want to also add/remove permission to/from a site's pre-built group below.
{
"id": "[removed]",
"roles": [
"read"
],
"grantedToV2": {
"siteGroup": {
"displayName": "XYZ Visitors",
"id": "5",
"loginName": "XYZ Visitors"
}
},
"grantedTo": {
"user": {
"displayName": "XYZ Visitors"
}
}
},
For permission removal, `DELETE .../permission/{id}' API sounds sufficient (docs).
However, we're unable to find an appropriate API to add permission to a siteGroup from the listing above. The only API allowing to add permissions sounds to be POST .../invite API (docs). We are not sure whether this API works for siteGroup nor how to pass the group to the API. Neither searching on the web got us to anything useful.
How to add a read permission to the site's pre-built Visitors group on a drive item using Microsoft Graph v1.0 API? If not, is there an alternative?
When doing a Microsoft Graph /search/query POST such as:
{
"requests": [
{
"entityTypes": [
"event"
],
"query": {
"queryString": "MySearchedText"
},
"from": 0,
"size": 2
}
]
}
The result is fine when I use a personal Microsoft 365 account. But when I use another Microsoft 365 account created by specifying a Yahoo address, it fails, even though I have authorized the calendars.readwrite, user.read and mailboxsettings.read permissions (just like I did with the personal MS account):
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2021-02-14T18:01:59",
"request-id": "c064b190-a39a-4e77-bdc2-fa3d25ebdb90",
"client-request-id": "f78443a1-1d27-c865-567b-9af9beb78933"
}
}
}
However a /me/calendarview query works perfectly (GET https://graph.microsoft.com/v1.0/me/calendarview?startdatetime=2020-02-14T16:33:35.452Z&enddatetime=2024-02-21T16:33:35.452Z).
Do you know if the search/query API requires some specific properties for the user account?
Many thanks for your help, I have spent 1.5 days reading docs, other SO posts, trying various approaches, but nothing helps!
Calendarview works for both work account and personal account, please see this document but search query doesn't work with personal accounts. See this document.
The permissions here specify that you need to have atleast the least privileged permission to get the results if you login with the work or school accounts. And the second thing here is there are no permissions that support personal accounts. That means you cannot make this API call when you login with the personal account. Application - Not Supported means that the App context token doesn't support this call.
I have a shared calendar in Office 365 with read and write permissions and I am trying to get it using Get calendar (V2) connector but it is only getting my own calendar. Is there a way to get shared calendars for Office 365 in Azure logic apps?
For this problem I did some test and it seems the "Get calendar (V2)" action in logic app can't get the calendars which others shared to you. But I provide another solution(use graph api) below for your reference:
1. You need to ask others to share a calendar to you on office 365 web page but not in outlook app.
2. Then you need to create an application in your azure AD, please refer to this tutorial.
In the application you created in azure ad above, please do the steps below:
After that, please do not forget click the "Grant admin consent for xxx" button(Maybe you need to wait a few minutes until this button become clickable).
Then click "Certificates & secrets" in your application in azure ad and new a client secret.(copy this client secret to your note book)
3. Then create a "HTTP" action in your logic app and refer to the screenshot below to request for the access token.
The "client_id" is your appliction id in azure ad, "username" and "password" is your azure user name and password, the "client_secret" is what you got above. This "HTTP" action will help us to get the access token. The response should be like below:
Then we need to parse the response data in json type, you can use "Parse JSON" action.
Use the "Body" from the "HTTP" action and fill in the "Schema" box with the code below:
{
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "integer"
},
"ext_expires_in": {
"type": "integer"
},
"scope": {
"type": "string"
},
"token_type": {
"type": "string"
}
},
"type": "object"
}
4. After that, we can create another "HTTP" action in logic app and request the graph api for all of the calendars which you can see (please note there is a space between the "Bearer" and the "access_token").
5. At last, we can get all of the calendars in the second "HTTP" action's "OUTPUTS" box.
Hope it helps~
I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.
I'm trying to programatically get OneDrive for Business Storage/Quota for all users within our tenant.
Have tried using the https://mytenant-my.sharepoint.com/_api/site/usage API call, but this doesn't accurately represent the size of our OneDrive usage.
Has anyone had any experience of getting this information and how best to get it?
There is no such endpoint like /sites/usage according to the documentation.
Instead call for GET --> https://{tenant}-my.sharepoint.com/_api/v2.0/drive and get drive information. In the drive response you will be having QUOTA facet.
Sample response response has been truncated for readability.
{
"id": "string",
"driveType": "personal | business",
"owner": { "#odata.type": "oneDrive.identitySet" },
"quota": { "#odata.type": "oneDrive.quota" },
"items": [ { "#odata.type": "oneDrive.item" } ],
"root": { "#odata.type": "oneDrive.item" },
"special": [ { "#odata.type": "oneDrive.item" }]
}
Here you can get the storage/quota information.
You have the right _api format to get the usage statistics but you need to specify the full path to each users' OneDrive for Business site in the URL.
For example:
https://mytenant-my.sharepoint.com/personal/user_mytenant_com/_api/site/usage
For each user in your organisation, call that REST Api URL but replace the user_mytenant_com part with the username of the current user.
By default an Office 365 tenant administrator does not have access to a user's OneDrive for Business site so I don't think you will be able to call the REST Api method without first adding your user as an administrator of their OneDrive for Business site.