Our web app has delagated Notes.ReadWrite.All permission, but for perticular client follwing call to
GET https://graph.microsoft.com/v1.0/groups/:groupid/onenote/notebooks
is returning 401 Unauthorized
User is member of that group and can access Group Notebooks using sharepoint site
Edit:
Requested permissions are (all dlegeated)
Mail.Send, User.ReadBasic.All, User.Read, Group.ReadWrite.All, Mail.ReadWrite, Tasks.ReadWrite, Calendars.ReadWrite, Files.ReadWrite, Notes.ReadWrite.All, Directory.Read.All
Edit 2
Call to Group OneDrive works from our app
call to group onenote notebook fails with 401,
call to personal onenote notebook fails with 404
All calls are from our application only
Is this issue only for one client?
You might need Group scopes as well.
Please refer: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#group-permissions
Related
I am trying to use "https://graph.microsoft.com/v1.0/me/events" or "https://graph.microsoft.com/v1.0/me/onlineMeetings" to create online meeting programmatically.
I used help from many resources specially this
https://vikrantsdynamicsblogs.wordpress.com/2020/03/28/programmatically-create-the-teams-meeting/.
I have used this API to get token using password grant type
"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" but the problem happened when I am calling "https://graph.microsoft.com/v1.0/me/onlineMeetings" I got 403 Forbidden
and when I am trying to call "https://graph.microsoft.com/v1.0/me/events" using the same access token I am getting this response
I have added delegate permission from Azure portal
Any Ideas why both are not working with me?
Authorization errors can occur as a result of several different issues, most of which generate a 403 error (with a few exceptions). We could refer to this doc to resolve Microsoft Graph authorization errors.
We cannot create online meeting via personal Microsoft account, if you are using work or school account, we need to ensure the account has the permission: OnlineMeetings.ReadWrite, if you are create online meeting via Application, we need OnlineMeetings.Read.All and OnlineMeetings.ReadWrite.All* permission, check this Create onlineMeeting and Online meetings permissions for more details.
We are trying to create a scheduled meeting in teams using the Microsoft.Graph.Client SDK.
Environment .NET Core 3.1.
When we call functions that update or read the events we get always the same error:
Code: ErrorAccessDenied
Message: Access is denied. Check credentials and try again.
Inner error:
AdditionalData:...
the api called is:
POST /groups/{id}/events
if we try also with the update of a manually created event we get the some error.
the api called is:
PATCH /groups/{id}/events/{id}
in azure we granted some permission.
I tried both delegated and application authentication.
Thanks for your answer!
according to microsoft docs, the permission Delegated (work or school account) Group.ReadWrite.All is required:
https://learn.microsoft.com/en-us/graph/api/calendar-post-events
perhaps you could run your code as team owner.
or you could try it with this approach:
https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings
POST https://graph.microsoft.com/beta/app/onlineMeetings
https://myteamsday.com/2019/09/10/using-graph-api-to-create-a-instant-meeting-in-teams/
I am attempting to create an event in a group via the Microsoft Graph Api.
I can currently Create/Update and delete groups however I am unable to interact with events inside these groups. I can also create events in calendars that are not inside a group
I have checked that I have all of the permissions as detailed in the documentation and I am not missing any that are listed. The only one listed for this API call is
Group.ReadWrite.All
However, I already have this permission (evident by being able to create and update a group)
If it helps, we are attempting to create shared calendars via the API, and it seemed that groups were the only way to achieve this.
To Replicate
Setup an application that calls the graph v1 API using application permissions. (Note: This issue does not occur with delegated permissions)
Give your application the following permissions
Group.ReadWrite.All
User.ReadWrite.All
Calendars.ReadWrite
Directory.ReadWrite.All
Send the following request (with the appropriate body):
POST /groups
This will work and so will the following request:
POST /groups/{id}/members/$ref
However, this request will return a 403:
POST /groups/{id}/calendar/events
and so will this
POST /groups/{id}/events
My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.
Trying to use the Unified API to fetch all groups. Using this URL - https://graph.microsoft.com/beta/myorganization/groups but getting 403 - code: "Authorization_RequestDenied", message: "Insufficient privileges to complete the operation".
However, it seems like I do have the right permissions - I have Group.Read.All in my token scope which is what's required by this API - see here.
Could it be because I'm using the Office 365 Unified API as another service (acquiring a separate access token) alongside the old existing code that already uses graph.windows.net?
You should be able to get the results back if the token has Groups.Read.All scp claim. Make sure you are getting a token for the right resource resource=https://graph.microsoft.com/. If you are unsure you can use this tool http://jwt.calebb.net/ to parse and validate you have the right audience claim.
Getting groups (read) worked fine with me in unified API Preview, with the following permissions:
Read and write all groups (preview)
Enable sign-in and read user profile
Try adding "Read and write all groups (preview)" not "Read All Groups (Preview)"
However, if you are trying to create a group, you will need to also add another directory permission (unfortunately will need admin consent):
Read and write directory data
these are very weird behaviors from Office365 unified APIs, but we should excuse the APIs as you can see "beta" inside the endpoint URL.