I have setting up an Azure logic apps on my azure account that send posts for both Facebook and Twitter based on an condition many days before I had tested my logic apps successful published post but now this issue occurred I have no idea about that.
Many thanks for your help.
{
"error": {
"message": "(#200) Requires either publish_actions permission, or manage_pages and publish_pages as an admin with sufficient administrative permission",
"type": "OAuthException",
"code": 200,
"fbtrace_id": "GHv4s/FqX8U"
}
}
It is probably more a problem of the user's permissions with which you establish the connection in the LogicApp. check if that profile with which you have established the connection with Facebook has the necessary permissions to perform the actions described in the error.
This has to do with user permissions in AAD (Azure Active Directory).
Go to the logic app's
Access control (IAM) -> View my access
In my case I see the following
but perhaps you have read-only rights. Once you can modify the logic app, you should have sufficient administrative permissions.
Try to log out of both Azure / Facebook and re-enter the credentials.
Related
I'm trying to create an automation to interact with Microsoft Business Central. For that I created a Azure App (daemon).
This app has granted permissions from the admin to Read/Write on BC, permissions such as Financials.ReadWrite.All and API.ReadWrite.All and are consented.
When I generate the access token, I can list environment and companies, but cannot list items https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/api-reference/v2.0/api/dynamics_item_get
What other permission do I need?
Here is the error I get when trying to list:
{
"error": {
"code":"Internal_ServerError",
"message":"Sorry, the current permissions prevented the action.(Page APIV2 - Items Execute: _Exclude_APIV2_)"
}
}
If I get the token from here, with my user on it, it works: https://developer.microsoft.com/en-us/graph/graph-explorer
You need to register the Azure App inside Business Central and assign it the required permissions.
You can do this through the Azure Active Directory Applications page.
If you select the app_access permission in you oauth application you also need to give permission inside Business central as Ramon already explained
If you do not assign that permission, and grant consent inside the oauth application already, that app can access all your environments within that tenant
Good day
I follow this https://learn.microsoft.com/en-us/graph/use-postman part of Set up application API calls.
I'm able to get users via API: https://graph.microsoft.com/v1.0/users
but not able to get messages via API: https://graph.microsoft.com/v1.0/users/{ {UserId}}/messages, it show me error below.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2020-06-28T06:16:03",
"request-id": "c0c3d9d5-9fa5-47a0-8b81-df85663ba297"
}
}
}
API Permission granted as below, could anyone advise how to fix above error?
API Permission in Azure
Postman Request for get Token
Thanks for sharing the request-id,timestamp(date) and postman Snapshot. Your application is an multitenant application and needs an additional step to get the permissions approved(admin consent). Here are the steps:
In the azure portal(portal.azure.com) navigate to the enterprise application.
Change the application type filter to "All application" and search for your application.
Click on the application name and click on the permission menu.
Click on grant admin consent for tenant (refer screen shot below).
After the above step, you will be able to get token with all the approved permissions.
Personal Account
Your application is preauthorized to read the messages (email) for the users within your tenant. Yours personal account (Microsoft Account) emails are stored your tenant context or any azure ad tenant context. To read personal account emails, application need to call /me/message graph API with delegated permission.
I am working on documenting integration with Azure for later use by colleagues. This is for obtaining an AAD bearer token (done) and using it to get a Logic Apps callback URL. There is the problem, which is to correctly permit the client application. I am not finding documentation on the correct scope to set in the Portal. Also, I don't have the admin permissions myself to try and, so trial-and-error is not an option.
Right now, I have registered in Azure an app with only default permissions. So, when I try the desired action, I get back the error response:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '{Client Id}' with object id '{object id}' does not have authorization to perform action 'Microsoft.Logic/workflows/triggers/listCallbackUrl/action' over scope '/subscriptions/{subscription id}/resourceGroups/{resourceGroup Name}/providers/Microsoft.Logic/workflows/{workflow name}/triggers/manual'."
}
}
In trying to get the app the right permissions, I am encountering the error in Azure portal:
You are adding permission(s) that require an admin to consent, users will not be able to use the application until an admin grants permissions to the application.
Which I expect, so I am seeking to tell my admins the exact permission(s) that need to be granted or delegated.
Possibly this can be done in PowerShell and easier than in Portal, or even CLI. I am not wedded to a particular method, just looking for direction or documentation on how to correctly configure the client app. I figure I need to give our app at least Contributor access to the resource group via the Access Control (IAM) tab. However, in this subscription, I do not have the "Add" option there, suggesting I do not have permission to do it.
Right now, I am using the documentation at register your client application with azure ad but am not finding the steps toward correctly permitting the registered client when I am unable to try it out before explaining it to someone else. Maybe there is more detailed documentation, or a blog post someone knows of that I have not found?
Thank you
Getting the callback url at runtime requires permission to invoke the API action Microsoft.Logic/integrationAccounts/assemblies/listContentCallbackUrl/action. You can do this a couple of ways:
create a custom role with the required API access. This is nice from a least-privilege perspective, but you're limited to 200 custom roles and you'd need to document what the role is for and track that going forward
You could leverage the built in role of logic app contributor which has carte blanche on logic app apis.
Which ever you choose, the next step is to assign the service principal associated to your application (or the user or group account defined in AD) to the role. Here is a great walkthrough for the role assignment process using the portal or using the CLI, if you prefer
Problem
When generating an access token for Microsoft Graph API via ADAL, Graph API does not accept the token.
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
What the application does
The application should read all users of a tenant. The application is configured to have User.Read.All privileges. The application consent is granted by the tenant, where the users should be read from - the application does appear with the privileges in Azure Portal.
What I have so far
The application worked a few days ago and I changed nothing. Other applications using the same way to authenticate work.
Recreating to AAD application did not help
Reinstalling the NuGet packages did not help
Changing the authority from login.windows.net to login.microsoftonline.com did not help
Token generation does not work with client secrets and not with a certificate
Decoding the generated JWT token shows the permissions required for the action
Solution
It seems, that the documentation from microsoft is not correct. Listing users requires the Directory.Read permission.
Update
According to Microsoft it is not clear, if this is a bug in Graph API or the documentation is wrong.
An issue is open at Github here.
Update 2
This issue was fixed in an update of the Graph API in May 2017.
I have a website which allows admin users to connect to their Office 365 account. From this I can read the calendars of all users and also get a user list. This all works fine.
The user rights that I ask are:
Sign users in
Read calendars in all mailboxes
Read directory data
Read all users' full profiles
Sign in and read user profile
Enable sign-on and read users' profiles
Read directory data
And these are the scopes: ["openid", "Calendars.Read", "User.Read", "User.Read.All", "offline_access"]
Getting all the users works fine with this call:
https://graph.microsoft.com/v1.0/users
However now I want to enhance the features so users are logged in automatically. So all I need is a call to get the current profile of the user so I can match the ID with the ID's in the application... I found this call and tried executing it:
https://graph.microsoft.com/v1.0/me
But I'm getting back this:
784: unexpected token at '{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'a6787ee0-4ba1-421f-a19c-beadf693b9eb' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "c767c4ee-0912-4744-a7e4-59a8a23626fe",
"date": "2016-10-22T01:26:54"
}
}
}'
What am I missing here?
Just to make sure, can somebody confirm that what I plan to do is possible:
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
From the error message, it seems you were using the app-only token which acquire using client credential flow to call the Microsoft Graph. There is no user context info in the app-only token. So it is not support to call this REST using this kind of token.
And based on the description, you were authenticating the users with OpenId connect protocol. To get the user info, we can retrieve these information from the id_token. And if you were developing ASP.Net web application, you also can get there information from ClaimsPrincipal class easily.
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
The app is protected by Azure AD. So if you mean that the users already signed in to MS with Azure AD account, yes your app could detect this and sign-in the users.