I try to integrate with microsoft teams i follow this documentation:
https://learn.microsoft.com/en-us/graph/use-postman
One of require request to get access token fill "Username" and "Password"
I don't have any idea how to get this 2 value and from where!
Where i keep him blanc i receive :
The request body must contain the following parameter: 'username'.\r\nTrace ID: ......
Any idea?
POSTMAN collection needs username/password. To access any protected resource like Microsoft Graph API then follow the steps:
Register an Azure AD application based on your AAD workflows. Make sure it has necessary Graph permissions
Make sure you have M365 tenant/account, has username/password
Configure POSTMAN as per above AAD workflow and update the values
from two above steps (Azure AD app details, tenant info, username,
password)
Start using the POSTMAN collection, get the token from AAD, make call to Graph API/Teams.
Related
Have tried many ways via code and Postman and no luck of getting a state of subscription like you would get via this link: https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list - here via the site you get a list of subscriptions and their "state": "Enabled" as an example.
Have no problem of getting auth tokens using scopes below but then impossible to get subscriptions list. If I use token from Microsoft site, the call in Postman to get subscriptions works fine.
The site is using Azure Active Directory OAuth2:
Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Using Postman I have tried getting subscriptions using these scopes along with auth token:
api://blah/.default - Invalid Authentication Token Audience
https://graph.microsoft.com/.default - Authentication failed
https://management.azure.com/.default - pass but 0 results
https://management.core.windows.net/.default - pass but 0 results
I guess when using the site you login as a user and password vs in the code using client app and app secret. Is this workflow even possible?
The registered app has all kinds of API permissions. Something this simple should not be so hard. The idea here is to programmatically check via console app if Subscription is "Enabled".
After debugging this via Postman it turns out to be a permissions issue where you have to add the application you created/using to authenticate to the Access Control (IAM) of the subscription. This post describes the error and resolution: The client with object id does not have authorization to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
If you have multiple capacities created then you have to add your application to all of those subscriptions. Then you will get a list and can then check each one.
I created an app in App Registrations service in Azure portal to access Microsoft 365 graph api's.
I could create token using https://login.microsoftonline.com/570fa6c*************************f233/oauth2/v2.0/token , but when i tried https://graph.microsoft.com/v1.0/reports/getTeamsUserActivityUserCounts(period='D7') using the token generated above, i am getting error - We do not recognize this tenant ID 570****************f233. Please double-check the tenant ID and try again
I have a free trial subscription
Could you please help, what am i missing here.
Thanks,
Neema
I tested in my environment and it is working fine for me please use the below steps so you do not missed anything.
Created an application in Azure AD and given Application -> Report.Read.All API permission.
Generated access token using postman with below Parameter passed in Body.
https://login.microsoftonline.com/tenantid/oauth2/v2.0/token
Add an assignment to above AzureAD application with Reports reader Administrative roles in Microsoft Teams.
Add Assignment->Select Member->Search you application and add it.
Now finally run the getTeamsUserActivityUserCounts API with Authorization Key Bearer {token}.
For me showing the blackOuput as I have no activity for any users.
I am new to Microsoft Graph API. I have read many articles on the web to understand the usage of Microosft Garph API for managing users in Azure AD. I am creating a Springboot based REST API service, which needs to create users in Azure AD.
I have registered my application in Azure Active Directory. I have also 'Directory.ReadWrite.All" permission for Microsoft Graph API. I wanted to first try to create the user from Microsoft Garph explorer. In the Graph Explorer, I have to give authorization token in the Request header. In order to create authorization token, I have followed the instruction given in the link https://learn.microsoft.com/en-us/graph/auth-v2-user. I have created the following URL based on the instruction, for obtaining Access token.
https://login.microsoftonline.com/{mytenantID}/oauth2/v2.0/authorize?client_id=validclientID&response_type=code&redirect_uri=https://localhost:4200&response_mode=query&scope=Directory.ReadWrite.All&state=12345
When the above URL is accessed from the web browser, I get a message which says "Need Admin Approval". I am not the admin of the Azure AD and I do not have access to the admin of my client, so I am really stuck. Can anybody help me understand whether I will have to get admin consent each time I need to access "create user" functionality of Azure AD through MS Graph API? . I would also also need the create user functionaltiy in the Springboot API. In this case, how would Admin Consent work?. Is there anyway that the create user functionality can work without Admin consent.
I have read the following two questions in SO before posting this question
How can I find the Admin Consent URL for an Azure AD App that requires Microsoft Graph "Read directory data" permission?
Create user using Microsoft Graph
if you just want to create a user in your tenant , you can follow the steps below :
Create a new Azure AD app in your tenant, ask your tenant admin to grant "Directory.ReadWrite.All" permission to this app :
Create a app secret for your Azure AD app :
Use this secret and this Azure AD app ID to get access_token to call Microsoft Graph API :
Request URL :
POST https://login.microsoftonline.com/<-your tenant name->/oauth2/v2.0/token
Request Header :
Content-Type: application/x-www-form-urlencoded
Request Body:
grant_type:client_credentials
client_id:your client Id
client_secret: Your application secret
scope=https://graph.microsoft.com/.default
You will get an access_token from this API calling.
See the screen shot below:
3. Using the access_token we just created to call Microsoft Graph API to create a user :
As you can see , a user has been created :
If you have any further concerns , pls feel free to let me know : )
I'm currently using node.js passport library to authenticate using the OIDC Strategy with an azure registered app using a client ID and secret.
http://login.microsoftonline.com/{org id}/v2.0/.well-known/openid-configuration
I am not having any trouble getting the user profile back of the person who logged in, but I am hitting a wall when trying to get the groups. In my app, I need to authorize the user based on their active directory groups. I am getting back this piece of json:
"_claim_names\":{\"groups\":\"src1\"},\"_claim_sources\":{\"src1\":{\"endpoint\":\"https://graph.windows.net/{org guid}/users/{user guid}/getMemberObjects\"}}
I'm not sure what I need to do using this to get the groups. I tried generating a bearer token, passing that in a header, and getting the groups but it says I am unauthorized using Postman. Do I need certain permissions in the app? Also why is it using graph.windows.net when I'm trying to use graph.microsoft.com?
Is there an easier way to do this once the user has logged in?
Overage indicator claim when user is member of many groups
The claim you're getting back as part of json shared in question is an overage indicator claim.
"_claim_names\":{\"groups\":\"src1\"},\"_claim_sources\":{\"src1\":{\"endpoint\":\"https://graph.windows.net/{org guid}/users/{user guid}/getMemberObjects\"}}
It means that the user is member of many groups and instead of including information about all the groups as part of token (which would make the token too big), you will need to query that information separately.
Read more about it here: Access Tokens Reference
How to get groups information?
Your application needs to make a separate call to Microsoft Graph API to get the groups information for user.
Relevant Microsoft Graph APIs
user: getMemberObjects
user: getMemberGroups
Check member groups
Permissions Required by your application
Each of the API links above mention the required delegated or application permissions that are required as part of documentation.
You will need to update your app registration in Azure AD to require the relevant permissions (and also go through Admin consent, in case the permission required needs admin consent)
Token to call Microsoft Graph API
You mention that you've tried generating a bearer token, passing that in a header, but you got Unauthorized error.
Once you're done with the permission changes for your application, acquire a token specifically for Microsoft Graph API from your application. The bearer token used to access your application may not directly work with Microsoft Graph API.
Also make sure you go through Admin consent in case any of the permissions require Admin consent. If it's a single tenant application, "grant permissions" directly from azure portal by an administrator should work, in case of multi-tenant app you can use the Admin consent endpoint.
Code Sample: Here is a quick tutorial for calling Microsoft Graph using Node.js.. you may find other good ones as well.
Azure AD Graph API (graph.windows.net) vs Microsoft Graph API (graph.microsoft.com)
You have a valid question about the endpoint.. "Also why is it using graph.windows.net when I'm trying to use graph.microsoft.com?"
General recommendation is to use the newer Microsoft Graph API, unless the functionality/information you're looking for isn't available with Microsoft Graph and only Azure AD Graph API can help. Read more about recommendation and comparison here: Microsoft Graph or Azure AD Graph
Since information about groups is available in v1 endpoint for Microsoft Graph already (not beta), you should make use of Microsoft Graph API.
Here are a couple of related SO posts: SO Post 1 and SO Post 2
I am trying to understand how Azure Active Directory Graph API works for adding users to the directory. According to this:
http://msdn.microsoft.com/en-us/library/azure/dn130117.aspx
I need to acces the graph API URL and pass in something called a "bearer token" in the "Authorization" header so that it will allow me to add the user specified in the request's body. However, I have no idea where I can get one of these tokens. All my research points to the user having to be already authenticated to get a token, which kind of beats the point, since I want to add the user so he can authenticate.
I have configured my app in the Azure Management Portal, and thought the bearer token was the "Client ID" that I get when I go to my added applications in the Directory. But when I pass this number to the Graph API, I get "Access Token Missing or malformed". I am testing this using the Fiddler Web Debugger app.
These 2 posts describe very thoroughly the steps to get the required token in 2 different scenarios:
Authorization Code Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
Client Credentials Grant flow: http://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
If you want to use the Client Id and Client Key to authenticate your client to Azure Active Directory, then you should read the 2nd article. The first one is to authenticate an already existing user.
If you want to programmatically get the OAuth2 token, then you could use the AAD authentication libraries: http://msdn.microsoft.com/en-us/library/azure/dn151135.aspx