I'm using graph rest api for writing a draft mail.
First, I called the authorize method with the https://graph.microsoft.com/.default scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_CLIENT_ID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&scope=https://graph.microsoft.com/.default
With the obtained code, I called the token method with the same scope:
https://login.microsoftonline.com/common/oauth2/v2.0/token
With this token, I am able to get messages without any issues, but when I try to create a draft by calling: https://graph.microsoft.com/v1.0/me/messages/ I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7fafbb5a-ab6d-4dbc-bb73-69d58b00f7ac",
"date": "2019-11-26T20:48:24"
}
}
}
As stated in the documentation (https://learn.microsoft.com/en-us/graph/api/user-post-messages?view=graph-rest-1.0&tabs=http) I have set the Mail.ReadWrite permission in my registered Azure app and granted admin consent. Am I missing something?
I checked Graph logs and that call to Microsoft Graph did not have the Mail.ReadWrite permission. Can you try adding that permission to the scope query param in your implicit auth flow call instead of .default? (If you need multiple permissions you can list them all in the scope param separated by spaces)
Related
I know how to register an all in Azure AD. I also know how to retrieve an access token with MSAL. When I make a request I get this error:
$ curl https://graph.microsoft.com/v1.0/me -H "Authorization: Bearer ${ACCESS_TOKEN}"
{
"error": {
"code": "ErrorInsufficientPermissionsInAccessToken",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",
"innerError": {
"date": "2022-06-11T18:41:12",
"request-id": "c5af5903-d4d1-4a6c-bdf4-9c059f865345",
"client-request-id": "c5af5903-d4d1-4a6c-bdf4-9c059f865345"
}
}
}
Is there a way to know which API permissions and scopes you need to set up from the error message?
Setting up API permissions and scopes depends on the request you are making to call Microsoft Graph.
You can find the required permissions for every Graph API request via Microsoft Graph REST API v1.0 reference
Please note that /me is used to get user information of signed-in user.
Check the below note while calling /me endpoint :
Required permissions for calling /me endpoint are:
I tested in my environment and got the profile successfully with Delegated permission like below:
API Permissions that I have given to the app:
You can find similar kind of problem raised in Microsoft Q&A below:
ErrorInsufficientPermissionsInAccessToken - Microsoft Q&A
I tried to create a call in Teams trough Microsoft Graph Api. I created a App with the given permissions but when i try to do the POST on: https://graph.microsoft.com/v1.0/communications/calls i get this error:
{
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"7500\",\"message\":\"Unsupported AAD Identity.\",\"instanceAnnotations\":[]}",
"innerError": {
"date": "2020-11-11T14:38:43",
"request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c",
"client-request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c"
}
}
}
Token and everything looks good. If I change the token I get another error that this one is wrong.
To be honest my knowledge about Azure etc. is very low.
What Shiva said is right. You may have used a user token to call the API, so an error occurred. The API call currently only supports application tokens. You need to grant application permissions to the application and use the client credential flow to obtain Token.
I am setting up an app for modifying a Microsoft Teams account (teams/channels) through the Microsoft Graph API, but I can't get responses from all of the endpoints which I need to call.
I have followed the guide for creating an app with application permissions and acquired access (and refresh) token(s) succesfully.
Calling the https://graph.microsoft.com/v1.0/users/<user guid>/joinedTeams endpoint yields a response as follows:
{
"error": {
"code": "Unauthorized",
"message": "Unauthorized",
"innerError": {
"date": "2020-06-24T12:37:53",
"request-id": <guid>
}
}
}
while calling endpoints such as https://graph.microsoft.com/v1.0/users works as described. It would seem that the app hasn't gotten consent and/or permissions to access these, but after signup they are listed on the API permissions in the azure portal enterprise applications page, and the access token JWT contains the specified permissions as a roles object.
From the JWT:
"roles": [
"TeamSettings.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"TeamMember.ReadWrite.All",
"Team.ReadBasic.All",
"GroupMember.ReadWrite.All",
"Member.Read.Hidden"
]
I have tried with the Directory.ReadWrite.All permission and also with the full permission list listed on the permissions page for the /joinedTeams endpoint and they all elicit the same error.
Curiously, according to this a 401 - Unauthorized response would be given for expired (or similarly invalid) tokens, however that seems to clearly not be the case as I can call other endpoints with that very token.
What am I missing?
Solved thanks to #MikeOliver
When I signed up for Teams it created another directory. Only that second directory had a Teams "license" (visible from the azure portal's License page).
I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I have
Directory.ReadWrite.All User.ReadWrite.All (delegated) and
User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.
PATCH https://graph.microsoft.com/v1.0/users/principalname#blah.in
Content-type: application/json
Authorization: bearer TOKEN
{
"passwordProfile":
{
"forceChangePasswordNextSignIn":false,
"password": "XXXXXXXXX"
}
}
When I execute this I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
"date": "2019-05-10T05:13:19"
}
} }
I am unable to understand why I am getting this error because all permissions are given for the user.
I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.
Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.
See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api