Is there any endpoint available in MS Graph API to get the SharePoint Online User Profile. We wanted to access the custom properties that are created in SharePoint Online User Profile application for user through MS Graph API in our custom application.
We are only able to access Azure AD user resource in MS Graph but not the SharePoint Online user Profile.
For now, there is no endpoint from Microsoft Graph to get user information from SharePoint User Profile. You need to use SharePoint rest api to do this.
Endpoint URI
POST http://<site url>/_api/sp.userprofiles.profileloader.getprofileloader/getuserprofile
Get the user profile of the current user
$.ajax({
url: "http://<site url/_api/sp.userprofiles.profileloader.getprofileloader
/getuserprofile",
type: "POST",
headers: {
"X-RequestDigest": <form digest value>,
"accept": "application/json;odata=verbose"
},
success: successHandler,
error: errorHandler
});
You can refer to this link for more details.
Related
We are currently working on Embedding Power BI Reports into our web application. To achieve that we are following the instructions on official power bi documentation:
https://learn.microsoft.com/en-us/power-bi/developer/embed-service-principal#get-started-with-a-service-principal
We are on the “app owns data” case thus we will user service principal. There is also “access with master account” option but I could not find a way to generate token via REST API, it works only via .NET samples provided which is not compatible with out stack. Moreover, in all the samples I have examined, token is retrieved from the security context of currently logged in user(So not via REST API). So “access with master account” is not an option for us.
We followed the steps in the link above one by one:
Registered a server-side web application.
Created a security group in Azure AD and added our new server side
web application to this group.
Enabled service principal (as power bi admin) for the new security
group we created.
Created and published our reports.
Added the service principal as an admin to the workspace (new
workspace ) that we have created.
On step 6 where we embed the report in our applications we are having issues. Here is what we do:
Generate Access Token For Service Principal.
URL: https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/token
Request Body:
grant_type: client_credentials
scope:https://graph.microsoft.com/.default
client_id:${clientId} (from our created server-side web application) >
client_secret:${client_secret} (from our created server-side web application)
Header: Content-Type:
application/x-www-form-urlencoded
Response: {
"token_type": "Bearer",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": "eyXXXXXXXXXXXXXXXXX....XXX" }
Generate Embed Token using Power BI REST API
URL:
https://api.powerbi.com/v1.0/myorg/groups/${groupId}/reports/${reportId}/GenerateToken (groupId and reportId fetched from power bi dev portal where we have our reports)
Request Body: { "accessLevel": "View", "allowSaveAs": "false" }
Header: Content-Type: application/json
Charset:utf-8 Accept: application/json
Authorization: Bearer ${access_token_from_step1}
Response: HTTP 403 (which means forbidden)
Unfortunately we are stuck at this point. We can not generate embed token which we will use to embed our reports/dashboards into our application. Although we have been through lots of online docs/discussions we could not find a solution. So here is what we need help.
Notes:
-We are creating/publishing reports using Power BI Desktop and our power bi pro account. (Although we are trying to embed them using service principal)
-We have run into this stackoverflow answer that claims we need to use resource owner flow instead of client credentials flow. But I believe it is against power bi documentation that states service principal can be applied without using any user/password.
The scope you defined when generating Access Token For Service Principal is not correct.
Try to use https://analysis.windows.net/powerbi/api/.default instead of https://graph.microsoft.com/.default
Note: There are many limitations when use service principal.
How do you get the authentication contact info from azure ad b2c with the microsoft graph, I am looking to retrieve the email address.
I checked the documentation on Microsoft Graph API and could find no mention of how to get the Authentication Contact Info besides using PowerShell (learn.microsoft.com/en-za/azure/active-directory/authentication/…)
Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
Register a new application (client_id)
Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
Create a private key (client_secret) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}
As you mentioned it seems that there is no microsoft Graph API could get the authentication Contact Info Email.
But we could get that information with following API, I capture it with browser. It seems a litte hack.
Get https://main.iam.ad.ext.azure.com/api/UserDetails/{userId}
About how to get the access token, please refer to this blog.
Note: I don't find this API in the Azure official document. Please don't use it for product, you could use it for test.
I'm working on a dynamics crm integration for a Single-Tenant Server-to-server authentication. This is required to obtain tokens invisibly as the data will be used to create customer facing ui.
Therefore I’m getting a token back from Azure using the client_credentials grant type. However when I attempt to use this token to access any dynamics endpoint (such as those documented here: https://msdn.microsoft.com/en-us/library/mt607871.aspx)
All I get back is a 401 - access denied.
I’ve done the following:
Create an Azure application
Created and stored a key
Enabled permissions for Dynamics CRM online
I’ve seen some suggestion that I need a service user in the CRM itself to provide access, however when I try and create one the options described do not appear. (such as here: https://msdn.microsoft.com/en-us/library/mt790170.aspx#bkmk_ManuallyCreateUser )
Can you suggest any steps I might be missing here?
Heres a sample call using the token
{ method: 'GET',
url: 'https://<snip>/api/data/v8.2/accounts?$select=name&$top=3',
headers:
{ Authorization: 'Bearer <snip>',
Accept: 'application/json',
'OData-MaxVersion': '4.0',
'OData-Version': '4.0' }
}
EDIT:
Please note that I am using node.js here and C# / .net based answers are probably not going to be massively helpful
Here is a post on how to configure server to server auth. Assuming you ran through all the steps except creating the application user, you can do so by:
In CRM Navigate to Settings->Security->Users
Change the view from "Enabled Users" to "Application Users"
From the new user form change the form from "User" to "Application User".
You should now be able to create your application user.
Is there a way within the Office Graph API to access items in a specific list - and not just items that I can see, but items I may not have access to?
Microsoft Graph access to SharePoint objects is currently in the beta version of Graph. See https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/sharepoint.
To access specific items, the endpoint pattern would be:
GET https: //graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items/{item-id}
For example: https:// graph.microsoft.com/beta/sites/mytenant.sharepoint.com:/sites/mysite:/Lists/Announcements/Items/1
As for being able to access items you do not have access to: No. That would be a horrible security problem if you could use any API to access such items.
There are two kinds of permission for app registered on the Microsoft Azure platform.
One is delegated permission. In this scenario, the user delegates access to a client application. We can call the REST API to get the data owned by who sign in.
The another is Application-level. In this scenario which permits a web service (a confidential client) to use its own credentials to authenticate when calling another web service, instead of impersonating a user. For example, a service or daemon app can retrieve all the users in a tenant if it has the Read all users' full profiles permission selected in the Azure Management Portal. And we can get the specific user's drive via the API like below:
GET /users/<id | userPrincipalName>/drive
More detail about REST API for handling the files on OneDrive for business, please refer to link below:
https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/drive
And here is the link for the authentication protocols for the Azure AD support:
https://msdn.microsoft.com/en-us/library/azure/dn151124.aspx
No, you can't retrieve SharePoint list items using Graph API, but you can use SharePoint REST API for that. It's similar to Graph API and supports OAuth.
Check the documentation for SharePoint API here: https://msdn.microsoft.com/en-us/library/office/dn531433.aspx
To get items from a list within SharePoint, you can use SharePoint Rest API. A sample code to get items using rest api is as below:
// For SharePoint 2010
var strRestUrl = _spPageContextInfo.webServerRelativeUrl + "/_vti_bin/listdata.svc/{{listname}}
// For Office 365 or SharePoint 203
var strRestUrl = _spPageContextInfo.webAbsoluteUrl + "/_api/Web/Lists/GetByTitle({{listname}})/Items
$.ajax({
url: strRestUrl,
method: 'GET',
headers: { "Accept": "application/json; odata=verbose" },
success: function(response){
// success callback function
},
complete: function(){
// complete callback function
},
error: function (data) {
// error callback function
console.log(data.responseJSON.error);
}
});
If you are using SharePoint 2010 then Rest URL is different and if you are using SharePoint 2013/Office 365 rest URL is different. Hope this code will help you.
More details about REST API are as available at below link:
https://msdn.microsoft.com/en-us/library/office/dn531433.aspx
I would value some advice as we are facing an issue with the Office 365 API where it returns 500 errors, when we request delegated administrative access to the Office 365 MySites Site Collection.
The use case scenario is the following:
We have independent organizations, 'A' and 'B' , which both own their respectives Azure Active Directroy accounts and O365/Azure subscriptions.
Organiation B wishes to utilise an application provide Organisation A which requires delegated administrative access to it's Office365 MySites Site Collection.
Organisation B successfully adds the app to their Active Directory Account by using the OAuth2 authorization process, granting the permissions that the application requires over their company active directory.
The final part is delegating access of an admin account in Organisation B to the Mysites site collection in Organisation B's Office 365 account. If we utilise the manual process via the administrative panel all works well, although programatically via the API we receive a '500' error.
We are using the following call to programmatically add the user as site collection administrator: (please note: I have used [ dummmy id's] below )
Endpoint URL:
https://<..org_a..>.my.sharepoint.com/personal/[[user_OrganisationA_com]]/_api/web/siteUsers/getByEmail(#u)?#u='[[info#_OrganisationA.com']]
Method: POST
Body: {'__metadata':{ 'type': 'SP.User' }, 'IsSiteAdmin':'true'}
HTTP Headers:
• "Content-Type": "application/json; odata=verbose"
• "X-HTTP-Method": "MERGE"
• "Authorization": "Bearer <OAuth2 token>"
• "Accept": "application/json"
On the request above we are trying to add info#_organisationB.com as site collection administrator to UserC's personal site in One Drive for Business service (UserC is identified by the email UserC#_organisationB.com). The user info#_organisationB.com has Global Administrator privileges in Organisation B's Office365 domain and UserC#_organisationB.com) is a basic user with no admin rights.
The call returns a 500 HTTP Status code (Internal Server Error) and the following message:
object(stdClass)[18]
public 'odata.error' =>
object(stdClass)[19]
public 'code' => string '-2146232832, Microsoft.SharePoint.SPException' (length=45)
public 'message' =>
object(stdClass)[20]
public 'lang' => string 'en-US' (length=5)
public 'value' => string 'You need to be a site collection administrator to set this property.' (length=68)
To our knowledge an API call should never return a 500 HTTP Status Code (Internal Server Error), if we are not allowed to do what we intend it should provide an Insufficiente permissions message or similar, however, the fact that we can manually apply this through the SharePoint Online management portal makes us believe we are hitting a bug that is stopping us from achieving what we intend.
Any advise would be appreciated!
Are you using SSL from the website you execute the request?