Trying to get response for https://graph.microsoft.com/v1.0/users/{user_id}/drives but get:
{'error': {'code': 'ResourceNotFound',
'message': "User's mysite not found.",}
Permissions is ok, user_id is correct
I tried to reproduce the error on my side, and found that, if I used ropc flow to generate an access token and used a different user id in request, it then returned 'User's mysite not found'. And if I used credential flow with a user id which doesn't has one drive license, it then returned that error. If I used correct user id which has one drive license, 200 code returned. And the api doc also mentioned that 'idOrUserPrincipalName string Required. The identifier for the user object who owns the OneDrive'
So my idea is check the user id if you used password flow to generate the access token and if not, you should make sure the user to tested via the api has the correct license.
Related
I am trying to create meeting on behalf of a user for that I am trying to get the code. I have registered the app on Azure. Also generated Application(Client) ID I have also added the required permission in the API. But when I am visiting this page the page asks for the email id but once the users fill the email id it says The provided value for the input value scope is not valid for OnlineMeeting.ReadWrite in the redirect URL.
Please guide me to know what I am missing here.
Edit 1: As suggested by #Rukmini I tried this and here is the relevant details.
To obtain the the code I am building url like this image
This does not work when I pass the OnlineMeetings.ReadWrite scope. But when I pass https://graph.microsoft.com/.default as scope it works and I am able to authenticate and generate a code. Then I can use that code to get the access token like following image. But using this access token I can not create the meeting as it does not have the OnlineMeetings.ReadWrite scope as stated in this doc **https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http**[![enter image description here]3]3
Let me know what I can do to generate code and access token for the OnlineMeetings.ReadWrite scope so that I can create the meeting on users behalf. Thanks
EDIT 2: I generated the authorization URL as suggested by #Rukmini using the following query parameters.
When I visited the link, I was presented with a login screen but as my previous error I see the same screen. Am I missing something here? Do I need to verify my app? Or Do I have to only use some specific IDs like we do in GCP and AWS?
Please let me know what I am missing here.
Thanks
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Azure AD Multi-Tenant Application:
I granted Admin Consent to the API permissions like below:
I generated the code by using below endpoint and authorizing it via browser:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=OnlineMeetings.ReadWrite
&state=12345
Now, I generated access token by using the below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:OnlineMeetings.ReadWrite
grant_type:authorization_code
redirect_uri:https://jwt.ms
code:code
Decode the access token using jwt.ms and check whether the scope is OnlineMeetings.ReadWrite:
I am able to create the Online meetings successfully by using the below query:
https://graph.microsoft.com/v1.0/me/onlineMeetings
Content-Type: application/json
{
"startDateTime":"2023-01-12T14:30:34.2444915-07:00",
"endDateTime":"2023-02-12T15:00:34.2464912-07:00",
"subject":"User Token Meeting"
}
I'm trying to integrate the MS Teams API in a Web-App.
First of all i was trying to use the MS API from Postman to see the workflow.
On the Azure UI i have succesfully created an App-Registration: i have my ClientID, TenantID and i have created also the client secret.
I downloaded the Postman API from https://github.com/microsoftgraph/microsoftgraph-postman-collections and i can retrieve the App-Only Access token.
I created two users in a group and i logged them on MS Teams Application, they can chat.
I can also get the User Access Token and endpoints such
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/me
etc..
are correctly working.
I am passing the User Access Token as Bearer token for the request.
These are the API permissions i gave:
I am having issues with the endpoints in the folder Events like:
https://graph.microsoft.com/beta/me/findRooms
https://graph.microsoft.com/v1.0/me/calendars
etc..
They all give the same error:
{
"error":{
"code":"NoUserFoundWithGivenClaims",
"message":"The user specified by the user-context in the token does not exist.",
"innerError":{
"oAuthEventOperationId":"08e3abc3-3fdf-4d85-849d-7632ac0723d2",
"oAuthEventcV":"CGW24oLIeEW1qoscgMIMTw.1.1",
"errorUrl":"https://aka.ms/autherrors#error-InvalidUser",
"requestId":"8e6cb242-17fe-4a94-8c89-912606578fb3",
"date":"2021-03-09T12:04:27"
}
}
}
I haven't found anything about this error.
Can someone help me?
Thanks.
You can check your bearer token by putting it in jwt.ms and see if you have the required permissions in 'scp' claim.
If you are getting MailboxNotEnabledForRESTAPI then you need to check if you have the proper exchange license or not.
You can add license by going into Microsoft Admin Center -> Users -> Active Users -> Select your user -> Licenses
I have a protected service, but I need to create links for sharing purpose. So I came over this feature:
new ApiKeyAuthProvider(AppSettings) {
AllowInHttpParams=true
},
I'm calling the service, getting the API directly from the ApiKey table, and in the debug console I can even see the SQL, which is correct (select where id, and id is my api key) and matches an active user, but still I'm getting a 403 from ServiceStack.
The apikey query param is used. Https is used (with valid CA signed cert).
403 Forbidden indicates Authentication was successful (otherwise would return 401 unauthorized) but the authenticated user does not have access to the resource, e.g. they don't have the required roles or permissions.
I have a backend process that doesn't directly interact with the user. I want to access reservations associated with my Azure account but I'm having trouble with the authentication step. I was following the guide here and I managed to get the authentication request to work by calling
https://login.microsoftonline.com/{tenant-ID}/oauth2/token
as a POST with the following x-www-form-urlencoded body:
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=http://myapp42
However, when I attempt to call:
https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
with the bearer token I received during the authentication step, I get the following error message:
The access token has been obtained for wrong audience or resource 'http://myapp42'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/', 'https://management.core.windows.net', 'https://management.azure.com/', 'https://management.azure.com'
However, if I modify the resource on the request to be one of these, http://management.core.windows.net/ for instance, the authentication then fails with:
AADSTS500011: The resource principal named https%3A%2F%2Fmanagement.core.windows.net%2F was not found in the tenant named {tenant-ID}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: b54cedea-3804-41cf-bd27-fcf0ed1c4700\r\nCorrelation ID: 2371d375-6c89-4f05-83c9-c4629b3340a8\r\nTimestamp: 2020-02-05 01:59:57Z
How do I authenticate so that I can then get my reservations without having to login?
Update:
The service principal has both the Owner and Contributor roles assigned.
Update 2:
Thanks to #Jim Xu, I was realized that I needed to refrain from url-encoding the URL. That allowed me to get the access token with a value of https://management.azure.com/ for the resource field. However, at this point, when I attempt to call the REST API with the resulting bearer token, I get the following error:
The client '{Object-ID}' with object id '{Object-ID}' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/reservations/read' over scope '/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}' or the scope is invalid. If access was recently granted, please refresh your credentials
Note: The object ID returned by this error is the one associated with the service principal.
Update 3:
I checked the reservation and it seems that the principal does not have a role in that reservation's access control. However, I also cannot assign the principal a role because it does not show when I search for principals during the role-assigning process.
If you want to call Azure Rest API to get the information of reservation Orders, you need to assign Owner\Contributor for the service principal.(the action needs Microsoft.Capacity/reservationOrders/read permission).
The steps are as below
Get access token
POST : https://login.microsoftonline.com/{tenant-ID}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id={client-ID}&
client_secret={client-Secret}&
resource=https://management.azure.com/ or https://management.core.windows.net
Call the api
GET : https://management.azure.com/providers/Microsoft.Capacity/reservationOrders/{order-ID}/reservations/{reservation-ID}?api-version=2019-04-01
Authorization: Bearer <token>
For more details, please refer to the issue and the issue
update
If you have assigned role but you still cannot get access token, please try to encode your url.
Was hoping someone could help me with this.
I've created a new "product" on developer.nest.com and gave it all available permissions with read/write access where available. My product is using code authentication, so after following all steps to get the code, it was time to make some requests.
When I got the "Exchange the authorization code for an access token" of the walkthrough, I did not get anything other than the metadata object. There was nothing about my devices or structures.
What am I doing wrong?
Thanks.
You are most likely authorizing the Works with Nest connection using a Family Account. Only the home "owner" can currently access the Nest structures and associated devices.
The metadata object is not part of "Exchange the authorization code for an access token" flow. If you are seeing metadata you must've received an access token and made an API request to https://developer-api.nest.com. This is where you would see the metadata object. As part of the "Exchange the authorization code for an access token" your response should be an access token and expiration, e.g.
{
"access_token": "c.FmDPkzyzaQe...",
"expires_in": 315569260
}