I am working on a document management application, which users should be able to access folders in oneDrive, sometime work on the same document/file, edit, copy document in application and upload document from application to the oneDrive. And it means that folder should be available to all users who has right. I could make all works when I am using my own personal account, for example I am using this url for getting list of files from a folderX:"https://graph.microsoft.com/v1.0/me/drive/root:/folederX:/children"", all works perfectly. But When I am using business account it doesn't work. I authenticate via tenant ID and I get correct token, but after that I get 400 error.
Now, I am really confused if what I want to achieve here is really possible via oneDrive for business or we should use sharepoint? Because apparently folderX is shared with me in oneDrive business account and it doesn't exist in my own oneDrive.
Sorry if the question seems stupid but I am really confused here.
the error is:
This is error:
{ "error": { "code": "accessDenied", "message": "There has been an
error authenticating the request.", "innerError": { "request-id":
"230e946c-d81a-4bf1-903e-26d92c5441db", "date": "2019-09-20T10:12:38"
} } }
I understand that you are trying to use a personal Microsoft Account to access the files which have been shared with you in your customer's OneDrive for business. Correct me if there is any misunderstanding.
If so, you need to use the OAuth 2.0 code grant flow to get the access token.
Firstly, I assume that you have added your personal account as a guest user to your customer's Azure AD. And the file has been shared with your personal account. And the correct delegated permissions have been assigned in the App registered in your customer's Azure AD.
Request an authorization code like this:
https://login.microsoftonline.com/{Tenant ID of your customer}/oauth2/authorize?
client_id={app id of the app registered in your customer's Azure AD}
&response_type=code
&redirect_uri={redirect uri of the app registered in your customer's Azure AD}
&response_mode=query
&resource=https://graph.microsoft.com
&state=12345
You will get a response like this:
https://localhost/?code={code}&state=12345&session_state=54572324-6121-4add-85f8-22e3a815646b
Please copy the "code" here for late use.
Then you can send a request for access token:
Replace "jmaster.onmicrosoft.com" with your customer's tenant and modify the other values (including client_id, client_secret, redirect_uri and code) in Body.
After getting the access token, you can send a request to access the shared files.
https://graph.microsoft.com/v1.0/users/{user id}/drive/root:/folederX:/children
Please note that the "user" here is who shared the files with you.
Related
Good day
I follow this https://learn.microsoft.com/en-us/graph/use-postman part of Set up application API calls.
I'm able to get users via API: https://graph.microsoft.com/v1.0/users
but not able to get messages via API: https://graph.microsoft.com/v1.0/users/{ {UserId}}/messages, it show me error below.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2020-06-28T06:16:03",
"request-id": "c0c3d9d5-9fa5-47a0-8b81-df85663ba297"
}
}
}
API Permission granted as below, could anyone advise how to fix above error?
API Permission in Azure
Postman Request for get Token
Thanks for sharing the request-id,timestamp(date) and postman Snapshot. Your application is an multitenant application and needs an additional step to get the permissions approved(admin consent). Here are the steps:
In the azure portal(portal.azure.com) navigate to the enterprise application.
Change the application type filter to "All application" and search for your application.
Click on the application name and click on the permission menu.
Click on grant admin consent for tenant (refer screen shot below).
After the above step, you will be able to get token with all the approved permissions.
Personal Account
Your application is preauthorized to read the messages (email) for the users within your tenant. Yours personal account (Microsoft Account) emails are stored your tenant context or any azure ad tenant context. To read personal account emails, application need to call /me/message graph API with delegated permission.
I have a Personal OneDrive Account Purchased (not Free Tier).
What am I trying to do ?
To write a Daemon in Python that will connect to OneDrive Personal Account Folders and upload / show contents.
What did I tried doing ?
I learned Microsoft Graph is the way to go to access all personal business accounts.
So I signed in with Azure (Free) Portal with my OneDrive Credentials myname#yandex.com , after signing in it created a Azure Default Directory with mynameyan...#onmicrosoft.com as principal user.
Followed Tutorial and created App under App Registration granted it all the Permissions and Also admin Consent through the portal and generated Client Secret and Downloaded the sample code from QuickStart under Portal->Azure Directory-> App Reg..
Ran it on my computer with just one change in the code. After getting the Access Token , I changed the Graph Endpoint to /me/drives/root and I got a "Tenant does not have SPO License" , also I noticed when I change the graph endpoint to /users it yields me mynameyan..#onmicrosoft.com as principal account name. When I expect myname#yandex.com
So in graph Explorer I tried and it yields me proper principal account name as myname#yandex.com also lists all the onedrive personal files as expected.
Problem ?
I cannot authenticate myself properly , since my application will be a Daemon I can't present myself a Login Page with redirect URLs so "Code Flow" type of Acquiring Authentication Token for Personal Accounts will not work for me as mentioned in the Tutorials.
Also if I forcefully query /me it says "Please use consumer endpoint" if I change the Authentication Endpoint it says invalid Client ID and Credentials (Because I think that onmicrosoft.com principal name cannot be used to query OneDrive Personal which belongs to myname#yandex.com )
What do I request ?
An idea of how would others implement this daemon with brief if not detailed steps of configuration in Azure and Code , if possible a Sample code and an Algorithm.
I am new bla bla....hehe , actually I am new to Azure and is also using OAuth First Time. Thanks in advance. I will edit the question if someone needs more information on this to help me.
You cannot use daemon to access personal account OneDrive files.
Daemon app will use Application permission (without user) to do the operation.
But based on the Microsoft Graph Get Files Permissions, Only Delegated permission is supported for personal Microsoft account. And Delegated Permission means app + user permission.
Currently you have to implement Get access on behalf of a user and use auth code flow to access personal account OneDrive files with Microsoft Graph API.
I am working on an app where i have some users on azure ad and some users need to be externals(ex:gmail).Iam using microsoft graph api to invite users from external. All these users are have user administrator role in AD.
I am able to invite external user successfully with internal user credentials. But when i try to invite external user again with the invited user details i am getting
error :
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web apps.",
"innerError": {
"request-id": "2d6d6c29-4f13-4eeb-bae4-2d6cc0d2de00",
"date": "2019-05-27T13:22:20"
}
}
}
I am using postman to check these apis.I have attached the request details to get the jwt token.Can you please help here. Let me know if you need more info.
I can reproduce your issue if I add Google as an identity provider for B2B guest users.
I have also tried with Graph explorer. We can not even use this tool since the google account is not a microsoft account.
Maybe the only way to invite another guest user with the invited google account(isn't a microsoft account) is using Azure portal.
Google guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid=<tenant id> or https://portal.azure.com/<tenant id>
I'm trying to access the signed in user's Profile Photo in the context of an email app which uses EWS to connect to Office 365.
The app is registered on portal.azure.com with the following required permissions:
Office 365 Exchange Online -> Access mailboxes as the signed-in user via Exchange Web Services
Windows Azure Active Directory -> Sign in and read user profile
The EWS part works just fine, I'm able to sign the user in, get the access and refresh tokens, and perform EWS operations using "Authorization: Bearer access_token".
The part I'm having trouble with is getting the user's profile photo.
This is the docs I'm going by:
https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations
The API endpoint I'm trying to use is:
GET https://outlook.office.com/api/v2.0/me/photo
... with "Authorization: Bearer access_token" header.
The above API returns this response:
HTTP 403
{"error":{"code":"ErrorAccessDenied","message":"Access is denied.
Check credentials and try again."}}
What could be wrong?
According to the above docs, getting user's photo should be possible using the user.read scope.
The "Sign in and read user profile" permission I mentioned above has a tooltip saying "User.Read", so I believe that's the right scope
I've tried decoding my access token at jwt.io, it has: "scp": "full_access_as_user" - where is my User.Read scope, or does "full access" include "user.read"?
Any ideas?
This is because that you tried use v2 endpoint Rest API but you didn't register the Application with v2 endpoint.
User Photo API is only available on Azure AD v2 authentication endpoint, Not Azure AD and Oauth:
You need to go to Microsoft Application Registration Portal to register your Application. For more details , you can refer to this document.
Just for the record:
Since we were not able to use OAUTH2 APIs for this -
since and our app uses EWS (Exchange Web Services) already...
We just ended up using the GetUserPhoto command with the user's (account's) own email address.
Works fine.
I have a website which allows admin users to connect to their Office 365 account. From this I can read the calendars of all users and also get a user list. This all works fine.
The user rights that I ask are:
Sign users in
Read calendars in all mailboxes
Read directory data
Read all users' full profiles
Sign in and read user profile
Enable sign-on and read users' profiles
Read directory data
And these are the scopes: ["openid", "Calendars.Read", "User.Read", "User.Read.All", "offline_access"]
Getting all the users works fine with this call:
https://graph.microsoft.com/v1.0/users
However now I want to enhance the features so users are logged in automatically. So all I need is a call to get the current profile of the user so I can match the ID with the ID's in the application... I found this call and tried executing it:
https://graph.microsoft.com/v1.0/me
But I'm getting back this:
784: unexpected token at '{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'a6787ee0-4ba1-421f-a19c-beadf693b9eb' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "c767c4ee-0912-4744-a7e4-59a8a23626fe",
"date": "2016-10-22T01:26:54"
}
}
}'
What am I missing here?
Just to make sure, can somebody confirm that what I plan to do is possible:
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
From the error message, it seems you were using the app-only token which acquire using client credential flow to call the Microsoft Graph. There is no user context info in the app-only token. So it is not support to call this REST using this kind of token.
And based on the description, you were authenticating the users with OpenId connect protocol. To get the user info, we can retrieve these information from the id_token. And if you were developing ASP.Net web application, you also can get there information from ClaimsPrincipal class easily.
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
The app is protected by Azure AD. So if you mean that the users already signed in to MS with Azure AD account, yes your app could detect this and sign-in the users.