Calling Microsoft Graph API from Azure Functions - azure

I am not sure if I am on the right path, but I am attempting to retrieve my contacts within an Azure Function. I don't need to present a login as this is only for my account. I just want to be able to retrieve my Contacts from the Graph without having to explicitly authenticate. Is this possible? My attempts have failed and I ultimately get stuck trying to add permission...
When I click to add Permission, I get this error:
I am trying to use AAD to authenticate. I tried creating the function within the Portal and also from VS. Any suggestions? Thanks!!

You could follow the steps below to fix the issue.
1.Navigate to the Authentication / Authorization of your function app, click the red frame part like the screenshot.
Go to Manage Permissions -> Add -> select the Windows Azure Active Directory API and Sign in and read user profile permission
Then refresh the portal, it will work fine.

Related

Microsoft Graph API - Sharepoint list unable to call create/update SharePoint list items, GET/DELETE works

Unable to use Microsoft Graph API to create or update SharePoint list items with client credentials access token (getting access token with out a user), I get the following error,
I'm able to successfully call GET and DELETE methods with the same access tokens for the same site/list, additionally I'm able to call all methods GET/POST/PATCH/DELETE for the same site/list using the user generated access token.
For my use case I need to able to create/update list items with out user access so, followed this article - https://learn.microsoft.com/en-us/graph/auth-v2-service, API has required permissions granted in the application
can't seem to find any documentation on what exactly I'm missing, looks like POST/PATCH endpoints are looking for some user info in the token, but client crendentials do not have any user info so not sure what to do next, Here's the documentation I'm following https://learn.microsoft.com/en-us/graph/api/listitem-create?view=graph-rest-1.0&tabs=http & I've tried using the .net graph client SDK as well and I get the same error message for both POST/PATCH requests.
Any help on how to successfully create/update sharepoint list items via graph api using client credential token would be highly appreciated.
Followed this article in setting up the application in azure ad - https://learn.microsoft.com/en-us/graph/auth-v2-service, Added app roles are as highlited in this article https://learn.microsoft.com/en-us/answers/questions/756563/app-roles-in-client-credentials-scope-in-azure-b2c.html but no luck.
Hope you are not using delegated permission in your personal account ,
Looks like there is something wrong with your API call ,make sure you are using the correct API call - https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-id}/items
You can also Try to create and Update in graph explorer- https://learn.microsoft.com/en-us/graph/api/listitem-create?view=graph-rest-1.0&tabs=http#example .
Hope this helps
Thanks

Getting list of all documents from share point

I am trying to implement functionality where I can get list of documents from share-point.I have tried this demo code from Azure directory implementation and login to account and also got details about sites and user data from graph API.
https://github.com/Azure-Samples/ms-identity-android-kotlin
I am able to get site data from graph API :
But when I am trying to get list then getting error or no value
I have also passed this authorization token to REST API but that too doesn't work.
You can try with scope Sites.ReadWrite.All instead of User.read, as I tested it using Graph Explorer and I got access denied as the scope permission was not consented. After I consent the permission, it worked .
Example 1:
Before Consent:
After Constent:
I have created a test list on the Communication Site.
After that when I query for lists , I successfully get the above one I created.
Example 2 :
I also tested it using a Application registered to Azure AD. It didn't return me any error or any value as well when I queried for lists using that app's credential's from Powershell.
After I add Sites.ReadWrite.All to the App's API permission's .
I can successfully get the Values of the lists.
To summarize it , it could be resolved in 2 ways :
Changing the Scope shown on the screenshot given by you to Sites.ReadWrite.All instead of User.Read.
Adding API permissions to the APP registration in the Azure AD for Microsoft Graph as shown in the example 2 second image.

Microsoft Graph Explorer Modify Permissions

I need to enable Chat.Read (Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user) in the Graph Explorer modify permissions section but I don't see it. I can see other permissions such as User.Read.
image of my modify permission
I'm really new to this so I don't know how it works. I've tried to make API permission from Microsoft Azure but I still doesn't see Chat.Read in the Graph Explorer. I don't know if Azure and Graph explorer is related or I did it the wrong way.
My goal is just to enable Chat.Read in my Graph Explorer.
Like this,When you request the corresponding api endpoint, you can find it.
Or you can find it directly here.

How can I get a token for Microsoft Graph to read an excel table?

What I need:
I need to read an excel table from Microsoft Teams Channel with Microsoft Graph API.
That is possible with the following URI:
https://graph.microsoft.com/v1.0/drives/someId/items/someId/workbook/tables/tableName/rows
The problem is, that this endpoint needs a valid token.
There are 2 opportunities:
Create Azure AD Application, that have access to the whole OneDrive.
Create Azure AD Application to retrieve a token for a service user, that have access to needed files.
The problem of the first one is, that I don't want to give it access to the whole OneDrive. I want it to have an access just to one OneDrive folder.
Maybe there is some possibility to limit the access just to one OneDrive folder?
I've tried the second alternative with com.microsoft.aad.msal4j library:
String APP_ID = "20106bdc-eec0-493d-b32f-526583aa95a6";
String AUTHORITY = "https://login.microsoftonline.com/112121a0-cc1f-12af-1213-faaa12ef1b11/v2.0";
PublicClientApplication pca = PublicClientApplication.builder(
APP_ID).
authority(AUTHORITY).build();
String scopes = "User.Read";
UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(
Collections.singleton(scopes),
userName,
password.toCharArray()).build();
IAuthenticationResult result = pca.acquireToken(parameters).get();
But this leads to the following exception:
com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Any ideas? Thank you
For this issue, you need to learn about the difference between ConfidentialClientApplication and PublicClientApplication.
Please see Public Client and Confidential Client applications.
Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to
safely keep application secrets, and therefore access Web APIs in the
name of the user only (they only support public client flows). Public
clients are unable to hold configuration time secrets, and as a result
have no client secret.
So for PublicClientApplication, we don't need a client secret.
What you need to do is (which you have found from this comment):
In the Application menu blade, select Manifest, and in the manifest editor, set the allowPublicClient property to true.
There is a completed sample with detailed steps here for your reference.
Besides, since you are trying to read an excel table, user.read permission is not enough.
Based on List rows Permissions, you need to add Files.ReadWrite delegated permission in the Azure AD app (app registration). And you should also specify it in your code.
All steps that I've done, so that it works:
I need to access a shared folder, so I needed to change the scope to "Files.ReadWrite.All" in my code.
In the list of pages for the app, select API permissions, click the Add a permission button and then, ensure that the Microsoft APIs tab is selected. In the Commonly used Microsoft APIs section, click on Microsoft Graph. In the Delegated permissions section, ensure that the right permissions are checked: Files.ReadWrite.All. Use the search box if necessary. Select the Add permissions button.
In the list of pages for the app, select Manifest, and in the manifest editor, set the allowPublicClient property to true, select Save in the bar above the manifest editor.
Login as a tenant admin to https://portal.azure.com. Open the registration for your app. Go to Settings, then Required Permissions. Press the Grant Permissions button.

Azure Active Directory App Manifest: getting 'Failed to update manifest: ObjectConflict'

I'm trying to update an existing Azure app but unable to save and the website throws an error 'Failed to update manifest: ObjectConflict'
I'm updating the field called 'identifierUris'. It's a list and there is one element already and I'm trying to add another there.
Can't seem to find what this error is about. Has anyone encountered this before?
It is very likely you are trying to add a value to identifierUris which is already present in another app. Each value in identifierUris must be unique to a single Application object in Azure AD.
To check if it's already present on an app in your tenant, you can use Azure AD PowerShell to do a simple search to see if that's the case:
Get-AzureADApplication -Filter "identifierUris/any(c:c eq 'http:/example.com/id-uri')"
You could also do the query using the Azure AD Graph Explorer (and signing in with your Azure AD account):
https://graph.windows.net/myorganization/applications?$filter=identifierUris/any(c:c eq 'http:/example.com/id-uri')
I also ran into this when writing some samples. The other answer is correct that there is another app that has already defined those identifierURI's under your AAD tenant. But it only needs to be defined under one app. You can create another app / client ID in AAD under the tenant that doesn't have the identifierURI's the docs say you need and it will work to get the right token / Store ID.
I did this with my sample where another client had already defined them and hit this error. I just went ahead anyways with the rest of the setup docs and got it working requesting the right authorization / bearer tokens. Just know that for the commerce ones, I had to re-publish my app to the store before I started to see results otherwise I was just seeing blank results.

Resources