How to update existing user in Azure AD using Microsoft Graph API - azure

I have added a user in azure ad. Now using graph api I want to update its display name or let say password. I am referring to this guide https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
First of all, I am not sure I am using correct URL to update the user but below is what I am using:
https://graph.microsoft.com/v1.0/users/john#<myorg>.onmicrosoft.com
I am passing the userName of the user which I want to udpate in the url. Please let me know if this is not correct.
I am including the OAuth token as bearer token in my request and posting the below json:
{
"accountEnabled": true,
"displayName": "john12"
}
From the above json, I want to change the display name from john to john12. But I am getting below error:
{
"error": {
"code": "Request_BadRequest",
"message": "Specified HTTP method is not allowed for the request target.",
"innerError": {
"request-id": "536fd7c1-db46-4927-9732-169da778811c",
"date": "2019-06-06T04:58:26"
}
}
}
Please can anyone please let me know how can I update the existing user properties. Thanks

Most probably you're not using HTTP method PATCH. I say this looking at the error message Specified HTTP method is not allowed for the request target.
If you use anything other than PATCH, like a POST you will end up getting this error message.
The JSON body for your request looks fine. I tried updating an existing user with similar JSON and sending a PATCH request from Microsoft Graph Explorer and it worked fine.
I could reproduce the same error message that you're seeing when I used a POST or PUT call from Microsoft Graph Explorer.
Although same request URL with same JSON body worked fine once I changed POST to PATCH. Later on querying the user again (GET), I could see that displayName had been updated correctly

Related

Error 401 (Unauthenticated) when making a request to Google Docs API

I'm trying to request the contents of a Google doc (that I own) using the Google Docs API and the contents would be read to a website. I'm making the following request in Postman:
GET https://docs.googleapis.com/v1/documents/{documentId}?key=API_KEY
where the API_KEY is a key created in Google developer dashboard and is not restricted for now. However, I'm getting the following error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I have made the doc public (read-access without signing in) and enabled the Docs API in the Google developer dashboard. Further, the dashboard is registering these (failing) requests, so something is going through.The answer is probably in the error message, but to me "or other valid authentication credential" means the API key that I'm already using.
I'm asking for advice on how to make this request successfully without needing to use OAuth or server-side code.
I found a workaround answer to my problem, although it didn't solve the problem with the Docs API. I decided to request the text data from a Google Sheet instead, which works fine with
GET https://sheets.googleapis.com/v4/spreadsheets/documentId?key=API_KEY
when the sheet is public and read-only.
Yes you can open the doc programatically using a service account. You need to "share" the doc with the service account email.
Instructions on creating a service account and reading a Google doc: https://www.futurice.com/blog/read-goog-doc-using-service-account

calling microsoft graph api via another rest service

Good day!
We need a calendar facility for the project that we're working in right now. For some reason, we are limited to using the Office 365 calendar or the outlook calendar. We stumbled upon the Microsoft Graph APIs which seems to be the right tool to fulfill what we want to do. So the idea is to create a Microsoft account which will be used as the main calendar where our wrapper(wrap the microsoft graph API calls) API can pull events from and eventually disseminate to client requests.
So here is what we've done so far:
Created a Microsoft account with the domain of #outlook.com
Plotted some calendar events using the said Microsoft account
Tried to follow this guide from the Microsoft site.
We agreed to create a wrapper API which will call the Microsoft Graph APIs but before this we tried to access the said APIs via postman. The problem is that postman cannot get any response from the endpoint of the /authorize API which is need to gain an access token to finally call the respective Microsoft graph APIs.
Now we do not know if we are trying to attack this wrongly or whatever. Do you have any idea what we are missing here? Thanks in advance and I hope someone can shed light in this matter.
UPDATE:
We were able to have some progress. After some time, we bumped in the azure active directory portal. We are now able to get an access token using this URL.
https://login.microsoftonline.com/<directory-id>/oauth2/token
Now when we are accessing the actual MS Graph API endpoint that we are supposed to call, we are receiving a 401 Unauthorized response even though we are using the obtained token from the previous API call. This is the URL that we are trying to get a response:
https://graph.microsoft.com/v1.0/me/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
This is all being done via postman first.
UPDATE:
We tried to grant every permission possible in the Azure Active Directory portal and confirmed the consent at
https://login.microsoftonline.com/<domain>.onmicrosoft.com/adminconsent?client_id=<client-id>
but unfortunately we're still hitting the 401 Unauthorized wall. In Microsoft Graph Explorer, everything is working fine. So what could be missing in our postman implementation that MS Graph Explorer is doing implicitly? Thanks in advance for any help!
UPDATE
After further reading, we've found out some important details. First, we've found out that there are two sets of APIs from Microsoft. One is the Azure Active Directory API and the other is the Microsoft Graph API. Both APIs use the same URL to get access tokens by using client credentials. Below is the URL:
https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token
Substitute the with your personal data from azure portal. Using this URL to get an access token, you need to supply some data in the request body.
client_id - client id of registered application in azure portal
client_secret - secret key of registered application in azure portal
grant_type - 'client_credentials' --> meaning you'll get an access token by using client credentials
scope - 'https://graph.microsoft.com/.default' or 'https://graph.windows.net/.default' --> this controls which API are you going to access. The first one is to access Microsoft Graph API and the other is to access Azure Active Directory API.
We are now able to get an access token and use it to access the actual API that we need. Below is the URL of the said API:
https://graph.microsoft.com/v1.0/users/<azure-tenant-name>.onmicrosoft.com/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
Notice that the URL does not use /me because upon reading using it required a signed in user. Unfortunately we are still getting the 401 Unauthorized error but the errors did change now. We are getting to errors intermittently. Sometimes the API call would return one or the other alternately. Below are the return of the API calls.
{
"error": {
"code": "InvalidTenant",
"message": "The tenant for tenant guid '<directory-id-goes-here>' does not exist.",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:29:27"
}
}
}
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:54:11"
}
}
}
We feel we've moved a step forward. We're still not getting what we need though. Now the mystery are these 2 API call responses. What could be the reason of this? Thanks in advance for anybody's help
UPDATE
Upon even further reading we've discovered that there are authentication flows to get an access token. Depending on the API that you want to call, some authentication flows will not work on it because they need more details and security to execute themselves. So we've tried:
Client Credential Grant
Resource Owner Credential Grant
Authorize Code Grant
But still, unfortunately, we are still stuck in the previous error. We are getting 401 Unauthorized and the response payload is either InvalidTenant or UnknownError.
I just went through a similar problem yesterday, the 401 Unauthorized error.
I was trying to access the calendar of an employee via Microsoft's Graph API, but I was receiving the same response as you.
Resquest:
https://graph.microsoft.com/v1.0/users/employee-email/calendarview?startdatetime=2018-10-21T00:00:00Z&enddatetime=2018-10-27T23:59:59Z&$select=subject,categories,start,end,sensitivity
Response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<request-id>",
"date": "<date>"
}
}
}
Then I decided to check if had the Office 365. He didn't. I'm just a developer, so I ask the guys from infrastructure to install Office 365 on the empleyee's machine, or add him to an enterprice account, or something like that.
After they finished, the requests to his calendar worked just fine :)

Google calendar push notification : Unauthorized webhook call

Currently we are in the process of developing one iPhone application that deals with google calendar. There was need of syncing calendar events to the server side. Everything works fine.
But for push notification , we are following this process
Whenever we post request to :
https://www.googleapis.com/calendar/v3/calendars/email#gmail.com/events/watch
with parameters
"id":Unique string ( channel id) ,
"type": "web_hook",
"address": "https://abc-api.herokuapp.com/user/notifications"
In the header , we are sending
Authorization : **Bearer 'Access_token'**
and content type : json
We already added domain as authorized domain in the google api console
Access_token is user's account access token .
We are getting "Unauthorized webhook call" error.
{
"error": {
"errors": [
{
"domain": "global",
"reason": "push.webhookUrlUnauthorized",
"message": "Unauthorized WebHook callback channel: https://abc-api.herokuapp.com/user/notifications"
}
],
"code": 401,
"message": "Unauthorized WebHook callback channel: https://abc-api.herokuapp.com/user/notifications"
}
}
Anyone here who can help us to solve the issue ?
You might want to check this post, providing solution like verifying if your domain have a valid (not self-signed) SSL license. Also in google-api-php-client GitHub, instead of setting https://example.com/google/push (resulted in Unauthorized WebHook callback channel) or https://www.example.com/google/push (allowed me to successfully open channel, and object has been returned, however webhook has not been fired) as address they tried https://www.example.com/google/push/index.php and worked.
One potential issue is if you're testing in Google's "try it" section of the documentation. It's not stated, but this particular request does not work there.
Otherwise, there are a few things that need to happen with the domain you are supplying in the address. First, you need to make sure its verified in the google developers console for the application you are hitting the api with. Additionally, you need to add the website property to your search console (even if its just an api) and verify ownership.
Also, once you get past the unauthorized address issue, you will get another error requiring a resourceId be supplied.

How to get user image through user id in Google plus?

I used to get user image through this URL
https://plus.google.com/s2/photos/profile/(user_id)?sz=150
but now what all I am getting is 404 error or no image. I know google has changed its policies and way it connects and allows other to get information, but I didn't anything to achieve same result as above.
Note: I can't use authenticate thing here since I am showing image of users to other users which are not connected at all.
OR in other way user may be not coming from Google log-in but I need to show other Google users images only.
Any help would be highly appreciated!!!
Edit:
I have checked through people.get method
https://www.googleapis.com/plus/v1/people/11595...3592320?key=AIzaSyCkdmtNN1XDg....EpepOIIs
but I am getting error saying
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured. Please use Google Developers Console to activate the API for your project."
}
],
"code": 403,
"message": "Access Not Configured. Please use Google Developers Console to activate the API for your project."
}
}
Edit: I have this already enabled since I am using Google+ log-in already in my site, here I am attaching screenshot:
Earlier I have also the same problem for my site after so much of research and efforts I found solution from my self and i hope that will also work for you and solve your problem:
Old Trick
Google had changed their policy so the old trick for getting the Google profile image will not work now.
e.g https://plus.google.com/s2/photos/profile/(user_id)?sz=150
New Trick
Get Request:
https://www.googleapis.com/plus/v1/people/115950284...320?fields=image&key={YOUR_API_KEY}
Response :200 OK
{
"image":
{
"url": "https://lh3.googleusercontent.com/-OkM...AANA/ltpH4BFZ2as/photo.jpg?sz=50"
}
}
Where YOUR_API_KEY is your Public API Access key which is generated through Credentials under APIs & Auth from https://console.developers.google.com/
And While creating Public API access key you can choose Referers URL's from which this request should be made but for checking you should try by not adding any URL to it, if it works then go with URL of your site.
You can choose other fields to send with URL which you may need from here.
Happy Coding!!!
You can get this information using the people.get Google+ API call and specifying the userid of the user you want information for. This will include an image.url field which you can use and resize as appropriate.
Since this is public information for a user, you don't need the user to authenticate to access it. You do, however, need an API Key which you will add to the end of the URL used in the API call.
You can get an API Key by going to https://console.developers.google.com/ under the "APIs and auth" section and "Credentials" subsection. You can then click on the button under "Public API Access" that says "Create New Key".
The URL you'll use to get the info will look something like
https://www.googleapis.com/plus/v1/people/1234567890?key=api_key
and you'll get back a JSON object with the profile info.
Update:
Make sure you have also enabled the Google+ API in the developes console. You can get to this through https://console.developers.google.com/, under the "APIs and auth" section and "API" subsection, you can find the "Google+ API" on the list and turn it on.

Authenticating to BigQuery REST API via OAuth2 from Node.js

Newbie trying to figure out how to get a Node.js application to authenticate and query Google BigQuery, trying to adapt this CodeLab tutorial from Java. What step might i be missing?
First I create this Oauth2 URL using my clientid:
https://accounts.google.com/o/oauth2/auth?
client_id=1047877053699-den6kbs4v3f2bft6clonsirkj1pc7t6j.apps.googleusercontent.com
&scope=https://www.googleapis.com/auth/bigquery
&redirect_uri=http://localhost:3000/oauth2callback
&access_type=offline
&response_type=code
This successfully reaches Google, which prompts
A third party service is requesting permission to access your Google Account.
Agreeing that generates a second prompt:
Nodejs_Test is requesting permission to:
View and manage your data in Google BigQuery
Agreeing to that, the callback URL is called, with a parameter accessToken.
I think the following url should list tables in my BigQuery project/dataset:
https://www.googleapis.com/bigquery/v2/projects/1047877053699/datasets/visits&accessToken=4%2FC196NizZwlNgWSt5oNqQwendmLNW.0vgUrlGJ6kMRshQV0ieZDApig3NfcgI
But calling with or without the accessToken returns the following message that "Login Required".
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
I know you can't repeat the code because of permissions, expired tokens, etc. But I wonder what step I might be missing conceptually.
Have you tried sending the accesstoken as an authorization header rather than as a url parameter?
as in
https://www.googleapis.com/bigquery/v2/projects/1047877053699/datasets/visits
Authorization: OAuth Your-access-token-here-not-urlencoded
FYI - looks like you originally used the parameter accessToken in the URL. It should instead by access_token, which looks like it works fine. Of course, Jordan's suggestion of using a Header is better if you're able to do it though-- it's more secure as it's unlikely to get logged in access logs, proxy server logs, etc.

Resources