First of all, I am no developer. I manage an Office 365 server for my company and I would like to do some heavy reporting using excel.
I have learned of Microsoft Graph and how I could get my data with it.
I created an app in Azure Active Directory, and I tried to set it up.
I added authorizations for Microsoft Graph, including Read All users full profile.
I add one Read directory data permission for Windows Azure Active Directory too.
I clicked on the Grant Permission button.
In the manifest, I changed those parameters to true :
oauth2AllowImplicitFlow
oauth2AllowUrlPathMatching
Now from Excel (2016), I am trying to add a new OData Source, and tried
https://graph.microsoft.com/v1.0/users
I entered my credentials (as Global administrator) using the Professionnal Account tab, and unfortunately, I only get Resource Access Denied (Sorry if the message is not accurate, I get it in another language).
Could anyone give me a hand in telling me what I have missed, please ?
Thank you in advance.
I had similar issue and found that the problem might be that incorrect flow is being used to authenticate.
Warning: once you change your permission and grant them it may take up to 30 mins for the permission to be granted.
First of all, please check your access token (you can decode it easily using https://jwt.io. As a result you should receive this part in your decoded payload:
"roles": [
"User.Read.All"
],
If you don't see it it means that permission is not granted properly. As you wrote that you enter the credentials I assume that you use authorization code grant flow.
To resolve this you you can first check whether you granted application permission or delegated permission to your app. You can look at this page to see the difference. If you want to use application permission you can use client credential flow. If you want to use delegated permission you can use authorization code grant flow.
In application settings > Required permissions you can check which permissions you granted and correct it, if needed:
If you are using authorization code flow you can also add delegated permission to your app and check if new access code contains required role (keep in mind that some permissions might be available only in one of the categories - however, Users.Read.All is available in both).
Source
Related
I am unable to fix the "Requesting Consent" status for an azure Data Factory Pipeline querying some Office365 (Graph) simple data (i.e. smtp addresses and UPN of my colleagues).
Can you suggest me something to check ?
I am adding 2 pictures showing where "Graph Data Connect" is easily enabled, and the always empty PAM (Privileged Access Management) portal.
New image: Graph Data Connect configurator
New image: Empty PAM portal
As per the error we could see its a permission issue where you need to be Granted Permission before querying in Graph to pass simple data (i.e. smtp addresses and UPN of my colleagues).
Here, are the steps how you can add permissions:
You have to create a API permissions service, you have to Grant Permission for reporting API, must allow your app the appropriate
permissions based on the API you wish to access.
Next you could navigate to API Permission in the left column under the Manage.
Then you can click on +Add Permission as shown in bubbles in the Snip.
Please grant the permissions Directory.ReadWrite.All and Users.ReadWrite.All.
At last I found what was missing: it was a licensing requirement, but nothing warned me about this in PAM page. Simply nothing was listed in it.
If you like, here are the requirements nowadays.
Have a nice day to everyone !
Julian
What I need:
I need to read an excel table from Microsoft Teams Channel with Microsoft Graph API.
That is possible with the following URI:
https://graph.microsoft.com/v1.0/drives/someId/items/someId/workbook/tables/tableName/rows
The problem is, that this endpoint needs a valid token.
There are 2 opportunities:
Create Azure AD Application, that have access to the whole OneDrive.
Create Azure AD Application to retrieve a token for a service user, that have access to needed files.
The problem of the first one is, that I don't want to give it access to the whole OneDrive. I want it to have an access just to one OneDrive folder.
Maybe there is some possibility to limit the access just to one OneDrive folder?
I've tried the second alternative with com.microsoft.aad.msal4j library:
String APP_ID = "20106bdc-eec0-493d-b32f-526583aa95a6";
String AUTHORITY = "https://login.microsoftonline.com/112121a0-cc1f-12af-1213-faaa12ef1b11/v2.0";
PublicClientApplication pca = PublicClientApplication.builder(
APP_ID).
authority(AUTHORITY).build();
String scopes = "User.Read";
UserNamePasswordParameters parameters = UserNamePasswordParameters.builder(
Collections.singleton(scopes),
userName,
password.toCharArray()).build();
IAuthenticationResult result = pca.acquireToken(parameters).get();
But this leads to the following exception:
com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Any ideas? Thank you
For this issue, you need to learn about the difference between ConfidentialClientApplication and PublicClientApplication.
Please see Public Client and Confidential Client applications.
Public client applications are applications which run on devices (phones for instance) or desktop machines. They are not trusted to
safely keep application secrets, and therefore access Web APIs in the
name of the user only (they only support public client flows). Public
clients are unable to hold configuration time secrets, and as a result
have no client secret.
So for PublicClientApplication, we don't need a client secret.
What you need to do is (which you have found from this comment):
In the Application menu blade, select Manifest, and in the manifest editor, set the allowPublicClient property to true.
There is a completed sample with detailed steps here for your reference.
Besides, since you are trying to read an excel table, user.read permission is not enough.
Based on List rows Permissions, you need to add Files.ReadWrite delegated permission in the Azure AD app (app registration). And you should also specify it in your code.
All steps that I've done, so that it works:
I need to access a shared folder, so I needed to change the scope to "Files.ReadWrite.All" in my code.
In the list of pages for the app, select API permissions, click the Add a permission button and then, ensure that the Microsoft APIs tab is selected. In the Commonly used Microsoft APIs section, click on Microsoft Graph. In the Delegated permissions section, ensure that the right permissions are checked: Files.ReadWrite.All. Use the search box if necessary. Select the Add permissions button.
In the list of pages for the app, select Manifest, and in the manifest editor, set the allowPublicClient property to true, select Save in the bar above the manifest editor.
Login as a tenant admin to https://portal.azure.com. Open the registration for your app. Go to Settings, then Required Permissions. Press the Grant Permissions button.
My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.
Trying to use the Unified API to fetch all groups. Using this URL - https://graph.microsoft.com/beta/myorganization/groups but getting 403 - code: "Authorization_RequestDenied", message: "Insufficient privileges to complete the operation".
However, it seems like I do have the right permissions - I have Group.Read.All in my token scope which is what's required by this API - see here.
Could it be because I'm using the Office 365 Unified API as another service (acquiring a separate access token) alongside the old existing code that already uses graph.windows.net?
You should be able to get the results back if the token has Groups.Read.All scp claim. Make sure you are getting a token for the right resource resource=https://graph.microsoft.com/. If you are unsure you can use this tool http://jwt.calebb.net/ to parse and validate you have the right audience claim.
Getting groups (read) worked fine with me in unified API Preview, with the following permissions:
Read and write all groups (preview)
Enable sign-in and read user profile
Try adding "Read and write all groups (preview)" not "Read All Groups (Preview)"
However, if you are trying to create a group, you will need to also add another directory permission (unfortunately will need admin consent):
Read and write directory data
these are very weird behaviors from Office365 unified APIs, but we should excuse the APIs as you can see "beta" inside the endpoint URL.
I'm getting the following error when non-global admin users are trying to access graph explorer 2 within our tenant:
Additional technical information:
Correlation ID: 2346b0f5-bb5f-4138-8f9d-07fa96dcf02f
Timestamp: 2015-05-29 17:18:48Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.
From within Azure we have "users may give applications permission to access their data" set to use. We also have "users may add integrated applications" to yes.
Just wanted to check which URL you are going to. We have 2 "graph explorers" - one is for exploring Azure AD Graph API, while the other (called API explorer) is for exploring the Office 365 unified API.
If you are going to https://graphexplorer2.cloudapp.net - this is (AAD) graph explorer, and should not require admin permissions. Please let us know if this is what you are using and if this is causing issues.
If on the other hand you are going to https://graphexplorer2.azurewebsites.net - this is the API explorer, and due to the number of APIs it requires access to, it currently requires admin consent. We'll look into a way to reduce the number of scopes that this requires access to, to get to a place where users can consent (but that's not the case currently).
Hope this helps,
I ran into this issue today and here what I did:
Login to your AD application in classic portal
(https://manage.windowsazure.com/)
Under "Configure" section, there
is "permissions to other applications", look at the "delegated
permissions" for "Window Azure Active Directory".
Make sure you pick
the correct permissions for your app. Normally, "Sign in and read
user profile" is enough for user to login.
For more information you
can take a look at this link
https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
I worked for Skype for business online use case (WEB API). I faced this issue for users not global admins. The users who added by global admin.
I managed to resolve the issue by passing extra parameter prompt=admin_consent.
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href+'&prompt=admin_consent';
For more details visit link https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/