I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api
Related
I know how to register an all in Azure AD. I also know how to retrieve an access token with MSAL. When I make a request I get this error:
$ curl https://graph.microsoft.com/v1.0/me -H "Authorization: Bearer ${ACCESS_TOKEN}"
{
"error": {
"code": "ErrorInsufficientPermissionsInAccessToken",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",
"innerError": {
"date": "2022-06-11T18:41:12",
"request-id": "c5af5903-d4d1-4a6c-bdf4-9c059f865345",
"client-request-id": "c5af5903-d4d1-4a6c-bdf4-9c059f865345"
}
}
}
Is there a way to know which API permissions and scopes you need to set up from the error message?
Setting up API permissions and scopes depends on the request you are making to call Microsoft Graph.
You can find the required permissions for every Graph API request via Microsoft Graph REST API v1.0 reference
Please note that /me is used to get user information of signed-in user.
Check the below note while calling /me endpoint :
Required permissions for calling /me endpoint are:
I tested in my environment and got the profile successfully with Delegated permission like below:
API Permissions that I have given to the app:
You can find similar kind of problem raised in Microsoft Q&A below:
ErrorInsufficientPermissionsInAccessToken - Microsoft Q&A
I tried to create a call in Teams trough Microsoft Graph Api. I created a App with the given permissions but when i try to do the POST on: https://graph.microsoft.com/v1.0/communications/calls i get this error:
{
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"7500\",\"message\":\"Unsupported AAD Identity.\",\"instanceAnnotations\":[]}",
"innerError": {
"date": "2020-11-11T14:38:43",
"request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c",
"client-request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c"
}
}
}
Token and everything looks good. If I change the token I get another error that this one is wrong.
To be honest my knowledge about Azure etc. is very low.
What Shiva said is right. You may have used a user token to call the API, so an error occurred. The API call currently only supports application tokens. You need to grant application permissions to the application and use the client credential flow to obtain Token.
I am setting up an app for modifying a Microsoft Teams account (teams/channels) through the Microsoft Graph API, but I can't get responses from all of the endpoints which I need to call.
I have followed the guide for creating an app with application permissions and acquired access (and refresh) token(s) succesfully.
Calling the https://graph.microsoft.com/v1.0/users/<user guid>/joinedTeams endpoint yields a response as follows:
{
"error": {
"code": "Unauthorized",
"message": "Unauthorized",
"innerError": {
"date": "2020-06-24T12:37:53",
"request-id": <guid>
}
}
}
while calling endpoints such as https://graph.microsoft.com/v1.0/users works as described. It would seem that the app hasn't gotten consent and/or permissions to access these, but after signup they are listed on the API permissions in the azure portal enterprise applications page, and the access token JWT contains the specified permissions as a roles object.
From the JWT:
"roles": [
"TeamSettings.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"TeamMember.ReadWrite.All",
"Team.ReadBasic.All",
"GroupMember.ReadWrite.All",
"Member.Read.Hidden"
]
I have tried with the Directory.ReadWrite.All permission and also with the full permission list listed on the permissions page for the /joinedTeams endpoint and they all elicit the same error.
Curiously, according to this a 401 - Unauthorized response would be given for expired (or similarly invalid) tokens, however that seems to clearly not be the case as I can call other endpoints with that very token.
What am I missing?
Solved thanks to #MikeOliver
When I signed up for Teams it created another directory. Only that second directory had a Teams "license" (visible from the azure portal's License page).
I'm using graph rest api for writing a draft mail.
First, I called the authorize method with the https://graph.microsoft.com/.default scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_CLIENT_ID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&scope=https://graph.microsoft.com/.default
With the obtained code, I called the token method with the same scope:
https://login.microsoftonline.com/common/oauth2/v2.0/token
With this token, I am able to get messages without any issues, but when I try to create a draft by calling: https://graph.microsoft.com/v1.0/me/messages/ I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7fafbb5a-ab6d-4dbc-bb73-69d58b00f7ac",
"date": "2019-11-26T20:48:24"
}
}
}
As stated in the documentation (https://learn.microsoft.com/en-us/graph/api/user-post-messages?view=graph-rest-1.0&tabs=http) I have set the Mail.ReadWrite permission in my registered Azure app and granted admin consent. Am I missing something?
I checked Graph logs and that call to Microsoft Graph did not have the Mail.ReadWrite permission. Can you try adding that permission to the scope query param in your implicit auth flow call instead of .default? (If you need multiple permissions you can list them all in the scope param separated by spaces)
I am working on daemon service that retrieves the list of contacts from Microsoft Graph, that does not prompt Microsoft Authentication to the user. However, I'm not able to retrieve the permissions I set in Microsoft Azure even with granted admin consent.
I use Postman to generate a token with the following information.
https://login.microsoftonline.com/0835055b-8a00-4130-b07a-037430dd000d/oauth2/v2.0/token
The following json is the result I get
{
"token_type": "Bearer",
"scope": "profile openid email https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": "{MY_TOKEN_HERE}"
}
Token is generated successfully but the token returned does not include the permission with granted admin consent I set in MS Azure at portal.azure.com > Registered App > API Permission.
I have Microsoft Graph - Users.Read and Contacts Read with green ticks on admin consent required. See image below:
Microsoft Azure - API Permission
And without the scope, I'm not able to retrieve the list of contacts with given token.
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "63a24a22-34f7-42a1-a9d5-d7aaf598f4d6",
"date": "2019-07-01T02:59:15"
}
}
}
Is there anything I missed? I assumed when the admin has granted consents, I should be able to include the API in scopes to generate tokens.
I saw there is a similar issue here but there is no solutions that work for me:
Microsoft graph API: Unable to fetch users with the generated access token
Based on your screenshot, the contacts.read you granted is an application permission. And, you have only one delegated permission: user.read .
However, if you want to call the graph api : graph.microsoft.com/v1.0/me/contacts , you need to use delegated permission. It will represent the user. So you can get the information for "me". And based on the official documentation , you need to grant the Contacts.Read (Contacts.ReadWrite for writing) delegated permission.
If you want to use application permission, then you need to get access token with client credentials flow. Token got in this way can be used for application permission. And you should call the api as following : graph.microsoft.com/v1.0/users/{id | userPrincipalName}/contacts