I am trying to access users OneDrive details for particular tenant. I have used https://graph.microsoft.com/v1.0/users/{userid}/drives to get drive details. But it is returning data for admin user who is generated application ID in Azure Directory.
Going forward, I need to iterate drive items (https://graph.microsoft.com/v1.0/users/{userId}/drives/{driveId}/list/items)
and items permission (https://graph.microsoft.com/v1.0/users/{userId}/drives/{driveId}/list/items/{itemId}/driveItem/permissions). But i stuck at fetching drive details itself.
I have given the Application permission as,
Files.Read.All - Read files in all site collection
Response header i am getting,
**content-type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
cache-control: private
client-request-id: f612b993-7a31-4171-8feb-8f4ee1f6564b
request-id: f612b993-7a31-4171-8feb-8f4ee1f6564b**
Response Preview:
**{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": []
}**
Please suggest if i missing anything to get users onedrive details.
Thanks in advance.
One of the following permissions is required to call this API. You need to confirm you have set the Sites.Read.All and Sites.ReadWrite.All. Common admin account will be work account but not the personal Microsoft account, just Files.Read.All is not enough.
Related
I am trying to use "https://graph.microsoft.com/v1.0/me/events" or "https://graph.microsoft.com/v1.0/me/onlineMeetings" to create online meeting programmatically.
I used help from many resources specially this
https://vikrantsdynamicsblogs.wordpress.com/2020/03/28/programmatically-create-the-teams-meeting/.
I have used this API to get token using password grant type
"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" but the problem happened when I am calling "https://graph.microsoft.com/v1.0/me/onlineMeetings" I got 403 Forbidden
and when I am trying to call "https://graph.microsoft.com/v1.0/me/events" using the same access token I am getting this response
I have added delegate permission from Azure portal
Any Ideas why both are not working with me?
Authorization errors can occur as a result of several different issues, most of which generate a 403 error (with a few exceptions). We could refer to this doc to resolve Microsoft Graph authorization errors.
We cannot create online meeting via personal Microsoft account, if you are using work or school account, we need to ensure the account has the permission: OnlineMeetings.ReadWrite, if you are create online meeting via Application, we need OnlineMeetings.Read.All and OnlineMeetings.ReadWrite.All* permission, check this Create onlineMeeting and Online meetings permissions for more details.
First of all, I am no developer. I manage an Office 365 server for my company and I would like to do some heavy reporting using excel.
I have learned of Microsoft Graph and how I could get my data with it.
I created an app in Azure Active Directory, and I tried to set it up.
I added authorizations for Microsoft Graph, including Read All users full profile.
I add one Read directory data permission for Windows Azure Active Directory too.
I clicked on the Grant Permission button.
In the manifest, I changed those parameters to true :
oauth2AllowImplicitFlow
oauth2AllowUrlPathMatching
Now from Excel (2016), I am trying to add a new OData Source, and tried
https://graph.microsoft.com/v1.0/users
I entered my credentials (as Global administrator) using the Professionnal Account tab, and unfortunately, I only get Resource Access Denied (Sorry if the message is not accurate, I get it in another language).
Could anyone give me a hand in telling me what I have missed, please ?
Thank you in advance.
I had similar issue and found that the problem might be that incorrect flow is being used to authenticate.
Warning: once you change your permission and grant them it may take up to 30 mins for the permission to be granted.
First of all, please check your access token (you can decode it easily using https://jwt.io. As a result you should receive this part in your decoded payload:
"roles": [
"User.Read.All"
],
If you don't see it it means that permission is not granted properly. As you wrote that you enter the credentials I assume that you use authorization code grant flow.
To resolve this you you can first check whether you granted application permission or delegated permission to your app. You can look at this page to see the difference. If you want to use application permission you can use client credential flow. If you want to use delegated permission you can use authorization code grant flow.
In application settings > Required permissions you can check which permissions you granted and correct it, if needed:
If you are using authorization code flow you can also add delegated permission to your app and check if new access code contains required role (keep in mind that some permissions might be available only in one of the categories - however, Users.Read.All is available in both).
Source
My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.
I have an app defined in Azure that has permission to read Exchange mailboxes. I use Azure to get an access code and then access token, and can successfully read messages from the current user's mailbox. The issue I have is when the current user has delegate rights to a mailbox, this same process results in a 403 Forbidden error rather than the data. If I open up Outlook I can see the delegate mailbox, it's only when trying to access it via the o365 APIs that it fails.
Once I have my access token I'm asking for the data from this endpoint: https://outlook.office.com/api/v1.0/users/mailboxupn#foo.com/messages. As I say, works fine for getting email from your mailbox, but not for a mailbox to which you have delegate rights. I've also confirmed that if I log in and get an access token as the owner of the mailbox that has the delegated rights, I'm able to successfully retrieve data.
I've seen a few questions on this (on Matthias' blog) but no answers. Is there a way to do this?
Thanks.
The Office 365 REST API doesn't support to get the messages as a delegate. You may consider using EWS instead.
Below link maybe helpful:
https://msdn.microsoft.com/EN-US/library/office/dn641963(v=exchg.150).aspx
Hope it is helpful.
How does an Office 365 administrator grant permissions for an email account to be accessed via the REST API? To be more specific: to grant the "Required Scope"
The Office 365 administrator at the company I work for and myself were on the phone for at least an hour with the people at mssupport_microsoft_com attempting to find an answer to this question. Both the first level and second level support people admitted they could not find the answer to this question. ??
The REST API is documented at: https://msdn.microsoft.com/office/office365/APi/mail-rest-operations.
Note that for each API endpoint there is a line that looks to me like a permissions value. For example for the "get messages" API there is:
"Required scope: Mail.Read". For the send message there is: "Required scope: Mail.Send" and for delete message there is: "Required scope: Mail.ReadWrite". Simple straight forward stuff.
I'm accessing my personal email for the company I work for and I am able to, via the aforementioned REST API's, send messages and fetch messages; NO PROBLEM. When I attempt to delete a message, the response is 403; Forbidden.
Assuming that my account has not been granted the correct permission for delete: Mail.ReadWrite, I contacted the Office 365 administrator at my company and requested that he review the permissions granted to my account and to grant me Mail.ReadWrite. He agreed that this must be the issue.
However, his training had not prepared him for this request. He didn't know how to do it. So, he contacted MS support to to find out how he(as the sole administrator) could grant my account permission to be accessed by the REST API. And, like I mentioned above, the ms people did not know how to administer this functionality.
I asked if there was an administrators guide ANYPLACE that would document this feature and the ms people didn't have a clue.
Anybody?
p.s. I'm accessing the api's with the python requests package.
Looking at the response in more detail revealed this is the problem:
{"error":{"code":"OAuthMissingForThisService","message":"Authentication for this service requires OAuth: outlook.office.com."}}