Weird issue.
I have a microsft saas app who asks for different permissions (directory.readWrite, file.readWrite Mail... etc) at the admin consent page.
After an admin gave his consent, my app acquires token and start doing what is should.
The thing is that sometimes I get token without "roles" section (I decoded the access token with jwt decoder and saw it was missing..)
and when it is missing then if I try to get users details (for instance) then I get 401 status code:
{
"error": {
"code": "Authorization_RequestDenied",
"innerError": {
"date": "2019-04-10T16:50:28",
"request-id": "fa93e103-6c0e-48cd-af06-008a52762aaa"
},
"message": "Insufficient privileges to complete the operation."
}
}
And that make sense...
How come that the token sometimes contains the "roles" section with all my app permissions and sometimes not? is it Microsoft issue? is there a workaround?
It isn't a specific tenant problem as if I try again after failure with the same tenant then it might work just fine..
Any thoughts?
Related
I tried to create a call in Teams trough Microsoft Graph Api. I created a App with the given permissions but when i try to do the POST on: https://graph.microsoft.com/v1.0/communications/calls i get this error:
{
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"7500\",\"message\":\"Unsupported AAD Identity.\",\"instanceAnnotations\":[]}",
"innerError": {
"date": "2020-11-11T14:38:43",
"request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c",
"client-request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c"
}
}
}
Token and everything looks good. If I change the token I get another error that this one is wrong.
To be honest my knowledge about Azure etc. is very low.
What Shiva said is right. You may have used a user token to call the API, so an error occurred. The API call currently only supports application tokens. You need to grant application permissions to the application and use the client credential flow to obtain Token.
I am setting up an app for modifying a Microsoft Teams account (teams/channels) through the Microsoft Graph API, but I can't get responses from all of the endpoints which I need to call.
I have followed the guide for creating an app with application permissions and acquired access (and refresh) token(s) succesfully.
Calling the https://graph.microsoft.com/v1.0/users/<user guid>/joinedTeams endpoint yields a response as follows:
{
"error": {
"code": "Unauthorized",
"message": "Unauthorized",
"innerError": {
"date": "2020-06-24T12:37:53",
"request-id": <guid>
}
}
}
while calling endpoints such as https://graph.microsoft.com/v1.0/users works as described. It would seem that the app hasn't gotten consent and/or permissions to access these, but after signup they are listed on the API permissions in the azure portal enterprise applications page, and the access token JWT contains the specified permissions as a roles object.
From the JWT:
"roles": [
"TeamSettings.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"TeamMember.ReadWrite.All",
"Team.ReadBasic.All",
"GroupMember.ReadWrite.All",
"Member.Read.Hidden"
]
I have tried with the Directory.ReadWrite.All permission and also with the full permission list listed on the permissions page for the /joinedTeams endpoint and they all elicit the same error.
Curiously, according to this a 401 - Unauthorized response would be given for expired (or similarly invalid) tokens, however that seems to clearly not be the case as I can call other endpoints with that very token.
What am I missing?
Solved thanks to #MikeOliver
When I signed up for Teams it created another directory. Only that second directory had a Teams "license" (visible from the azure portal's License page).
I get an "Unauthorized" status code (401) when I call MS Graph from my Logic App.
The MS Gaph URI I'm calling has been tested separately using Graph Explorer to insure that it was a properly formed request.
I'm guessing that the issue has to do with Application Permissions needing to be granted to the AD App registration.
The Logic App is not prompting the user to grant the "Delegated" permissions I added to the App Registration. This is why I'm guessing, I need to use Application permissions instead of Delegated permissions.
Here is the error being returned
{
"error": {
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be
understood.",
"innerError": {
"request-id": "8addc6d3-fbf1-4a61-8ed2-b4593a10dd8c",
"date": "2019-07-16T12:29:27"
}
}
}
I would of course Grant the Application permissions myself in order to test this, but I don't have rights, and I need to research this a bit before I approach our admins.
You are right. You need grant the application permissions to your app. The Active Directory OAuth in logic app uses client credentials flow which doesn't need user interaction.
Here is the difference between application permission and delegated permission.
I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I have
Directory.ReadWrite.All User.ReadWrite.All (delegated) and
User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.
PATCH https://graph.microsoft.com/v1.0/users/principalname#blah.in
Content-type: application/json
Authorization: bearer TOKEN
{
"passwordProfile":
{
"forceChangePasswordNextSignIn":false,
"password": "XXXXXXXXX"
}
}
When I execute this I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
"date": "2019-05-10T05:13:19"
}
} }
I am unable to understand why I am getting this error because all permissions are given for the user.
I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.
Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.
See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api