Good day
I follow this https://learn.microsoft.com/en-us/graph/use-postman part of Set up application API calls.
I'm able to get users via API: https://graph.microsoft.com/v1.0/users
but not able to get messages via API: https://graph.microsoft.com/v1.0/users/{ {UserId}}/messages, it show me error below.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2020-06-28T06:16:03",
"request-id": "c0c3d9d5-9fa5-47a0-8b81-df85663ba297"
}
}
}
API Permission granted as below, could anyone advise how to fix above error?
API Permission in Azure
Postman Request for get Token
Thanks for sharing the request-id,timestamp(date) and postman Snapshot. Your application is an multitenant application and needs an additional step to get the permissions approved(admin consent). Here are the steps:
In the azure portal(portal.azure.com) navigate to the enterprise application.
Change the application type filter to "All application" and search for your application.
Click on the application name and click on the permission menu.
Click on grant admin consent for tenant (refer screen shot below).
After the above step, you will be able to get token with all the approved permissions.
Personal Account
Your application is preauthorized to read the messages (email) for the users within your tenant. Yours personal account (Microsoft Account) emails are stored your tenant context or any azure ad tenant context. To read personal account emails, application need to call /me/message graph API with delegated permission.
Related
I am working on a document management application, which users should be able to access folders in oneDrive, sometime work on the same document/file, edit, copy document in application and upload document from application to the oneDrive. And it means that folder should be available to all users who has right. I could make all works when I am using my own personal account, for example I am using this url for getting list of files from a folderX:"https://graph.microsoft.com/v1.0/me/drive/root:/folederX:/children"", all works perfectly. But When I am using business account it doesn't work. I authenticate via tenant ID and I get correct token, but after that I get 400 error.
Now, I am really confused if what I want to achieve here is really possible via oneDrive for business or we should use sharepoint? Because apparently folderX is shared with me in oneDrive business account and it doesn't exist in my own oneDrive.
Sorry if the question seems stupid but I am really confused here.
the error is:
This is error:
{ "error": { "code": "accessDenied", "message": "There has been an
error authenticating the request.", "innerError": { "request-id":
"230e946c-d81a-4bf1-903e-26d92c5441db", "date": "2019-09-20T10:12:38"
} } }
I understand that you are trying to use a personal Microsoft Account to access the files which have been shared with you in your customer's OneDrive for business. Correct me if there is any misunderstanding.
If so, you need to use the OAuth 2.0 code grant flow to get the access token.
Firstly, I assume that you have added your personal account as a guest user to your customer's Azure AD. And the file has been shared with your personal account. And the correct delegated permissions have been assigned in the App registered in your customer's Azure AD.
Request an authorization code like this:
https://login.microsoftonline.com/{Tenant ID of your customer}/oauth2/authorize?
client_id={app id of the app registered in your customer's Azure AD}
&response_type=code
&redirect_uri={redirect uri of the app registered in your customer's Azure AD}
&response_mode=query
&resource=https://graph.microsoft.com
&state=12345
You will get a response like this:
https://localhost/?code={code}&state=12345&session_state=54572324-6121-4add-85f8-22e3a815646b
Please copy the "code" here for late use.
Then you can send a request for access token:
Replace "jmaster.onmicrosoft.com" with your customer's tenant and modify the other values (including client_id, client_secret, redirect_uri and code) in Body.
After getting the access token, you can send a request to access the shared files.
https://graph.microsoft.com/v1.0/users/{user id}/drive/root:/folederX:/children
Please note that the "user" here is who shared the files with you.
I am working on an app where i have some users on azure ad and some users need to be externals(ex:gmail).Iam using microsoft graph api to invite users from external. All these users are have user administrator role in AD.
I am able to invite external user successfully with internal user credentials. But when i try to invite external user again with the invited user details i am getting
error :
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web apps.",
"innerError": {
"request-id": "2d6d6c29-4f13-4eeb-bae4-2d6cc0d2de00",
"date": "2019-05-27T13:22:20"
}
}
}
I am using postman to check these apis.I have attached the request details to get the jwt token.Can you please help here. Let me know if you need more info.
I can reproduce your issue if I add Google as an identity provider for B2B guest users.
I have also tried with Graph explorer. We can not even use this tool since the google account is not a microsoft account.
Maybe the only way to invite another guest user with the invited google account(isn't a microsoft account) is using Azure portal.
Google guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid=<tenant id> or https://portal.azure.com/<tenant id>
I am trying to access the Online Meetings Graph API (Beta version) using developer tenant. I am able to login successfully to the developer tenant but not able to get the Token to access the graph API for Application type graph APIs. I am able to get the token for delegated type Graph APIs successfully and able to connect to the Graph API.
I given the admin consent for these APIs using button "Grant admin consent for [0]" in Azure Active Directory => App Registrations => My App => API Permissions in the Azure portal. I am able to see the success message as "Granted for [my Tenant]".
But I am getting the error saying "AADSTS65001: The user or administrator has not consented to use the application" while getting the token. I am using ConfidentialClientApplication class and AcquireTokenByAuthorizationCodeAsync method to get the token.
So is there any other place I need to verify for the consent or for developer Tenant and for these Beta APIs, I need to check any other process ?
Thank You for Your Time,
Rishi
I tried for delegated APIs (User.Read and Contacts.Read) and working fine on developer tenant. While doing trail and error I got error saying Invalid Scope (OnlineMeetings.ReadWrite.All) couple of times.
For Application type graph APIs, you should use client credentials flow to get the token.
Make sure you add the application permission and grant admin consent for it.
I have setting up an Azure logic apps on my azure account that send posts for both Facebook and Twitter based on an condition many days before I had tested my logic apps successful published post but now this issue occurred I have no idea about that.
Many thanks for your help.
{
"error": {
"message": "(#200) Requires either publish_actions permission, or manage_pages and publish_pages as an admin with sufficient administrative permission",
"type": "OAuthException",
"code": 200,
"fbtrace_id": "GHv4s/FqX8U"
}
}
It is probably more a problem of the user's permissions with which you establish the connection in the LogicApp. check if that profile with which you have established the connection with Facebook has the necessary permissions to perform the actions described in the error.
This has to do with user permissions in AAD (Azure Active Directory).
Go to the logic app's
Access control (IAM) -> View my access
In my case I see the following
but perhaps you have read-only rights. Once you can modify the logic app, you should have sufficient administrative permissions.
Try to log out of both Azure / Facebook and re-enter the credentials.
I have a website which allows admin users to connect to their Office 365 account. From this I can read the calendars of all users and also get a user list. This all works fine.
The user rights that I ask are:
Sign users in
Read calendars in all mailboxes
Read directory data
Read all users' full profiles
Sign in and read user profile
Enable sign-on and read users' profiles
Read directory data
And these are the scopes: ["openid", "Calendars.Read", "User.Read", "User.Read.All", "offline_access"]
Getting all the users works fine with this call:
https://graph.microsoft.com/v1.0/users
However now I want to enhance the features so users are logged in automatically. So all I need is a call to get the current profile of the user so I can match the ID with the ID's in the application... I found this call and tried executing it:
https://graph.microsoft.com/v1.0/me
But I'm getting back this:
784: unexpected token at '{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'a6787ee0-4ba1-421f-a19c-beadf693b9eb' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "c767c4ee-0912-4744-a7e4-59a8a23626fe",
"date": "2016-10-22T01:26:54"
}
}
}'
What am I missing here?
Just to make sure, can somebody confirm that what I plan to do is possible:
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
From the error message, it seems you were using the app-only token which acquire using client credential flow to call the Microsoft Graph. There is no user context info in the app-only token. So it is not support to call this REST using this kind of token.
And based on the description, you were authenticating the users with OpenId connect protocol. To get the user info, we can retrieve these information from the id_token. And if you were developing ASP.Net web application, you also can get there information from ClaimsPrincipal class easily.
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
The app is protected by Azure AD. So if you mean that the users already signed in to MS with Azure AD account, yes your app could detect this and sign-in the users.