I am using Azure AD B2C to create users.
After a user is created I would like to add them to a Group
Using Postman I have made the following request (with access token in the header). Note: I have managed to successfully create a group using the Api.
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members/$ref?api-version=1.6
With Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
Which is what the documentation specifies. No matter the body that is sent I get the following error
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "The request URI is not valid. Since the segment 'members' refers to a collection, this must be the last segment in the request URI. All intermediate segments must refer to a single resource."
},
"requestId": "48cf65f3-20ba-411e-8121-f7ea54252f3a",
"date": "2019-05-27T06:09:25"
}
}
I tried removing the /$ref
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members?api-version=1.6
Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
as well as
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/users/{user-objectId}"
}
Now the error that gets returned now is:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Unsupported resource type 'DirectoryObject' for operation 'Create'."
},
"requestId": "2c36cc6d-383c-44f8-8609-2ac3e3efc862",
"date": "2019-05-27T06:15:26"
}
}
The documentation that I have been using https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=javascript
You are using graph.windows.net endpoint, so you should refer to azure ad graph api.
POST https://graph.windows.net/myorganization/groups/b4bda672-1fba-4711-8fb1-5383c40b2c14/$links/members?api-version=1.6
{
"url": "https://graph.windows.net/myorganization/directoryObjects/3eb6055a-baeb-44d4-a1ea-2fee86d8891b"
}
The document you referred to is microsoft graph api. The endpoint should be https://graph.microsoft.com.
You can use Microsoft Graph explorer to call these apis.
Related
I am trying to assign groups and devices to a PowerShell script in Microsoft Intune using the following POST request:
URL: https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/%7Bid%7D/Assign
Body:
{
"deviceManagementScriptGroupAssignments": [
{
"#odata.type": "#microsoft.graph.deviceManagementScriptGroupAssignment",
"id": "{ScriptId:GroupId}",
"targetGroupId": "{GroupId}"
}
],
"deviceManagementScriptAssignments": [
{
"#odata.type": "#microsoft.graph.deviceManagementScriptAssignment",
"id": "{ScriptID:DeviceID}",
"target": {
"#odata.type": "#microsoft.graph.allDevicesAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none"
}
}
]
}
However, I am getting a 400 error with the following message:
"{ "_version": 3, "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 615c3437-bd99-2193-9d4b-d9a61deb0340 - Url: https://fef.amsua0102.manage.microsoft.com/DeviceFE/StatelessDeviceFEService/deviceManagement/deviceManagementScripts('{id}')/microsoft.management.services.api.assign?api-version=5022-11-08", "CustomApiErrorPhrase": "", "RetryAfter": null, "ErrorSourceService": "", "HttpHeaders": "{}"}"
I base on this document of Microsoft https://learn.microsoft.com/en-us/graph/api/intune-shared-devicemanagementscript-assign?view=graph-rest-beta
I tried to reproduce the same in my environment.
Received the same error:
{
"error": {
"code": "UnknownError",
"message": "{\"ErrorCode\":\"Forbidden\",\"Message\":\"{\\ \\\"_version\\\": 3,\\ \\\"Message\\\": \\\"An error has occurred - Operation ID (for customer support): xxxx –
}
When I followed the url in the error and queried, I got that the api version is not supported.
Make sure the authorization header is given with bearer token which has proper permissions to work with intune and device management
Omit the parameter #odata.type in the post request body.
{
"#odata.type": "#microsoft.graph.deviceManagementScript",
…
"runAs32Bit": true
}
Make sure you have DeviceManagementConfiguration.ReadWrite.All Application and delegated permissions.
Note that Intune requires an active Intune license for the tenant.
I want to purges data for my custom log with TimeGenerated range.
Sample Request
POST https://management.azure.com/subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/OIAutoRest5123/providers/Microsoft.OperationalInsights/workspaces/aztest5048/purge?api-version=2020-08-01
Request Body
{
"table": "MY_CUSTOM_TABLE",
"filters": [
{
"column": "TimeGenerated",
"operator": "between",
"value": ["2022-01-02T04:00:00","2022-01-07T03:59:59"]
}
]
}
Response Code: 400
Response Body:
{
"error": {
"message": "The request had some invalid properties",
"code": "BadArgumentError",
"correlationId": "00000000-0000-0000-0000-00000000000",
"innererror": {
"code": "QueryValidationError",
"message": "The user with object Id '00000000-0000-0000-0000-00000000000' does not have the role 'Data Purger' required to perform purge operation on this resource"
}
}
}
"message": "The user with object Id
'00000000-0000-0000-0000-00000000000' does not have the role 'Data
Purger' required to perform purge operation on this resource"
Looking at the Error Message that you have shared above, it is moreover related to access issue. You need to have DataPurger RBAC role on that resource inorder to perform data purge over a particular table in log analytic workspace.
Here is the reference documentation for more information about DataPurger RBAC role.
We have tested this in our local environment , it is working fine.
In our local environment , we have tried to purge the heartbeat table using the above shared Purge REST API of Azure Log Analytics workspace.
if you are using the between operator in the body of your restAPI , the value should be array of items.
Here is the sample request & body of the Rest API :
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/purge?api-version=2020-08-01
Body:
{
"table": "Heartbeat",
"filters": [
{
"column": "TimeGenerated",
"operator": "between",
"value": ["2022-01-18T05:40:00","2022-01-18T05:50:59"]
}
]
}
Here is the sample Output for reference:
When I do a post request to the Azure Key Vault Sign API: https://pkitstencryptkeyvault.vault.azure.net/keys/openssl-rbi-test/1ccc8fc0e0224bb1a65eb159e2b12df1/sign?api-version=7.0
with body:
{
"alg": "ES256",
"value": "RkQ4y5rDgxeaaOzeqeAFT3IGLAEZMz2ztbTbMNzxuMc"
}
The response is:
{
"kid": "https://pkitstencryptkeyvault.vault.azure.net/keys/openssl-rbi-test/1ccc8fc0e0224bb1a65eb159e2b12df1",
"value": "d9J4G06FRMBEKy_FJJj1PEAXhtlezvd6-3_5yo9yeYAFZ_Du583AJzqu3NMTzJAUMoKhnVBx2obnkM0gI1LnoQ"
}
I can't find that information on the Azure Sign API doc.
So what is the format of the value in the response body?
I'm asking this, because when I send a verify request to:
https://pkitstencryptkeyvault.vault.azure.net/keys/openssl-rbi-test/1ccc8fc0e0224bb1a65eb159e2b12df1/verify?api-version=7.0 with body:
{
"alg": "ES256",
"value": "d9J4G06FRMBEKy_FJJj1PEAXhtlezvd6-3_5yo9yeYAFZ_Du583AJzqu3NMTzJAUMoKhnVBx2obnkM0gI1LnoQ"
}
I get the following error:
{
"error": {
"code": "BadParameter",
"message": "Property has invalid value\r\n"
}
}
Although the example does not show it: The digest parameter is missing in your verify request body. This parameter is defined in the API.
I am trying to create a user using azure graph API. For this, I have got the token response as below:
Once I have the token, I have added this as bearer token in Authorization for the below url:
https://graph.microsoft.com/v1.0/users
and posting the below json data:
{
"accountEnabled": true,
"displayName": "Andrew",
"mailNickname": "SanAndrew",
"userPrincipalName": "andrew.san204#gmail.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password"
}
}
But getting below error:
{
" error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "c06079d2-ff6b-4e5b-b34d-704f16bc312f",
"date": "2019-06-03T11:20:20"
}
}
}
although I have all the permissions as shown below:
Can anyone please suggest what I am doing wrong here.
One possibility for the error is that you are trying to create a user with gmail.com domain. The domain needs to be one of the verified domains in your AAD tenant.
If you want to add a gmail.com user anyway, you need to send an invitation through the invitations endpoint: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=cs
I want to fetch the analytics of any channel of youtube that basically are not owned by me. I am using this API.
If this is not the right API please suggest me how to achieve this.
Also, I am using node.
https://youtubeanalytics.googleapis.com/v2/reports?dimensions=day&endDate=2019-01-01&ids=channel%3D%3DUCZSNzBgFub_WWil6TOTYwAg&metrics=likes&startDate=2018-01-01
Response:
{
"error": {
"code": 403,
"message": "Forbidden",
"errors": [
{
"message": "Forbidden",
"domain": "global",
"reason": "forbidden"
}
]
}
}
You need to understand the difference between private and public data. Public data is data that can be accessed by anyone. Public videos on YouTube for example
Private data is data that is owned by a user. A good example of that would be the analytics for a channel on Youtube. You cant access this kind of information without the permission of the user who owns it.
{
"error": {
"code": 403,
"message": "Forbidden",
"errors": [
{
"message": "Forbidden",
"domain": "global",
"reason": "forbidden"
}
]
}
}
Means that the currently authenticated user doesn't have permission to do what you are trying to do. You need to login with a user who has access to this data. I suggest you ask the owner of the channel to give you access.