In Office365, we are uploading a file “File1” to OneDrive using the user “UserA”. We then are getting the permissions of that file using the graph api (https://graph.microsoft.com/me/drives/[DriveId]/items/[itemId]/permissions) and get back permissions as we would expect:
"permissions": [
{
"grantedTo": {
"user": {
"email": "UserA#wherever.com",
"id": "ef7bd4af-3f36-4e81-9f76-296f4956b807",
"displayName": "User A"
}
},
"id": "aTowIy5mfG1lbWJlcnNoaXB8ZGRyYXBlckBmaXJlbGF5ZXJzLm9ubWljcm9zb2Z0LmNvbQ",
"roles": [
"owner"
]
}
]
However, we are then uploading the same file (using the same user) to a newly created SharePoint site named “Site1” and getting the permissions for that file (again using the graph api). Unlike with the OneDrive file permissions, the permissions returned for this SharePoint file do NOT contain “UserA” but include only 3 site-specific groups (which seem to be created automatically when creating a new SharePoint site)
"permissions": [
{
"grantedTo": {
"user": {
"displayName": "Site1 Owners"
}
},
"id": "QXRoYXlUZXN0IE93bmVycw",
"roles": [
"owner"
]
},
{
"grantedTo": {
"user": {
"displayName": " Site1 Visitors"
}
},
"id": "QXRoYXlUZXN0IFZpc2l0b3Jz",
"roles": [
"read"
]
},
{
"grantedTo": {
"user": {
"displayName": " Site1 Members"
}
},
"id": "QXRoYXlUZXN0IE1lbWJlcnM",
"roles": [
"write"
]
}
]
When listing all groups for the SharePoint site, none of these 3 groups are listed. A group named “Site1” does however but doesn’t contain any users added to any of these 3 groups.
How do we get additional information for these groups (i.e. the users who are a part of a given group) using the graph API / is that even possible?
I am not sure that it is possible via the Graph API but SharePoint does have a RESTful API that focuses on users and groups and that should be helpful. It does include extensive examples here:
https://msdn.microsoft.com/en-us/library/office/dn531432.aspx
Related
I created conditional access policy using this from my previous question reply here. It's working as expected.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
I want to change few properties like roles to User administrator and grantControls to allow access with mfa in this existing policy from Graph.
In Portal, we have edit option but is this possible from Graph? How to achieve that?
TIA
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have one existing conditional access policy with below properties:
To update this policy via Graph API, make use of below query based on your requirement:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id>
Content-type: application/json
{
"displayName": "Require MFA to User Administrators.",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"fe930be7-5e62-47db-91af-98c3a49a38b1" //ID of User Administrator role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
Response:
When I checked the same in Portal, properties updated successfully like below:
You can get the id of User Administrator role like below:
Go to Azure Portal -> Azure AD -> Roles and administrators -> All roles -> User Administrator
UPDATE:
You can get the id of policy using below query:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=displayName eq 'policyName' &$select=id,displayName
Response:
So I am not sure where I am going wrong but here goes!
I want to list files on my test Sharepoint site via the MS GraphAPI. This via the documentation should be simple but it's just not happening!
I am using the GraphAPI explorer
https://developer.microsoft.com/en-us/graph/graph-explorer/preview
I then can see my site and its shared folder via this call
https://graph.microsoft.com/v1.0/sites/MyCompany.sharepoint.com:/sites/burf-test:/drive
I get back:
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives/$entity",
"createdDateTime": "2020-04-19T05:47:58Z",
"description": "",
"id": "b!BWveRisE5UWH2b_vq03PZYmZdMdKpQtFhpIQSacsCowq3ZxYLFsFQKtzuZ4-V1ya",
"lastModifiedDateTime": "2020-04-30T13:50:28Z",
"name": "Documents",
"webUrl": "https://-.sharepoint.com/sites/Burf-Test/Shared%20Documents",
"driveType": "documentLibrary",
"createdBy": {
"user": {
"displayName": "System Account"
}
},
"owner": {
"group": {
"email": "Burf-Test#-.onmicrosoft.com",
"id": "e48afefa-2aa8-4cd5-aad9-62f746a991c2",
"displayName": "Burf-Test Owners"
}
},
"quota": {
"deleted": 0,
"remaining": 0,
"total": 0,
"used": 0
}
}
I can not find a way to list the files that I can see via my Sharepoint portal (Burf-Test)?
Tried
/drive/root/children
/drive/b!BWveRisE5UWH2b_vq03PZYmZdMdKpQtFhpIQSacsCowq3ZxYLFsFQKtzuZ4-V1ya
/drives/b!BWveRisE5UWH2b_vq03PZYmZdMdKpQtFhpIQSacsCowq3ZxYLFsFQKtzuZ4-V1ya
/drive/Documents
/lists etc
and a whole lot more!
So the main issue here was actually permissions, sometimes the Graph Explorer will say Access denied, and sometimes it will return a 200 but not show the files. Both mean a permissions issue.
I found I had to grant extra permissions (File ones) to get this to work
https://graph.microsoft.com/v1.0/sites/a-.sharepoint.com,SITE-GUID/drives/FOLDER-GUID/root/children
How to get the Microsoft SharePoint SiteID using Microsoft Graph API Explorer.
Initially i tried with below API i able to get the Site ID
https://graph.microsoft.com/v1.0/sites/tenantName.sharepoint.com:/sites/TestSite:/drives?select=name,id
Sharepoint URL:
https://tenantName.sharepoint.com/sites/TestSite
I output i got is:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": [
{
"id": "b!l17-JY9YT67Qp-2TBvsUupBLMUF2SrJHp5VylCDZThT7HpCdF-7uQ6NTp6t-MbR5",
"name": "Documents"
}
]
}
But, when i try with Communication Site
Whose SharePoint URL is:
https://tenantName.sharepoint.com/SitePages/DevHome.aspx
Graph Explorer API
https://graph.microsoft.com/v1.0/sites/tenantName.sharepoint.com:/SitePages/DevHome:/drives?select=name,id
I am getting below error:
{
"error": {
"code": "itemNotFound",
"message": "The provided path does not exist, or does not represent a site",
"innerError": {
"request-id": "8329dfca-c63b-4af5-80b8-75f26be9e2e8",
"date": "2019-10-31T13:18:33"
}
}
}
A sitePage is a fundamentally different resource than a site.
A site is a container that owns any number of sub-sites, apps, lists, document libraries, etc.
A sitePage is just another resource owned by a site.
The sitePage resource is currently only available in the Microsoft Graph Beta version.
So the query for /SitePages/DevHome.aspx would be:
/beta/sites/root/pages/{pageId}
If you don't yet know the correct id for the page, you can filter the SitePage collection based on the page's name:
/beta/sites/root/pages?$filter=name eq 'DevHome.aspx'
This will return a collection with a single entity (the DevHome.aspx page):
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites('root')/pages",
"value": [
{
"eTag": "",
"id": "{id}",
"lastModifiedDateTime": "2014-07-10T05:47:29Z",
"name": "DevHome.aspx",
"webUrl": "SitePages/DevHome.aspx",
"createdBy": {
"user": {
"displayName": "System Account"
}
},
"lastModifiedBy": {
"user": {
"displayName": "System Account"
}
},
"parentReference": {
"siteId": "{id}"
},
"contentType": {
"id": "0x0101080062C83F3CFED6744A882F729480DE6C17",
"name": "Wiki Page"
},
"webParts": [],
"publishingState": {
"level": "published",
"versionId": "1.0"
}
}
]
}
I should also point out that you're misinterpreting the result of your first query. When you request /v1.0/sites/{tenant}:/{path}:/drives?select=name,id, you are not getting the IDs for each Site, you're getting the IDs for each Drive within that Site. You can find the objects contained within a site in the Relationships section of the Site Resource documentation
Your Graph API call is incorrect.
Try this one :
https://graph.microsoft.com/v1.0/sites/tenantName.sharepoint.com?select=name,id
I want to build a SAAS Service for Azure marketplace using single-sign-on.
I have read this document Microsoft identity platform access tokens, but can not find anything relate to User's Organization.
Is there any way to get user's Organization name?
For now I only can parser from email.
You can call MS Graph API to get the user's organization details: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http.
The endpoint is at https://graph.microsoft.com/v1.0/organization
Sample response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}
You can call this endpoint even with the basic User.Read permission.
In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
"value": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{id}",
"type": "Scope"
},
{
"id": "{id}",
"type": "Scope"
}
]
}
]
}
When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.
And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'
I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?
You could use this API Update application, refer to my request sample as below.
Sample:
Request URL:
PATCH https://graph.microsoft.com/beta/applications/{App Object ID}
Request body:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "863451e7-0667-486c-a5d6-d135439485f0",
"type": "Scope"
}
]
}
]
}
If you want to delete the API permissions, just specify the requiredResourceAccess as below.
{
"requiredResourceAccess": []
}
Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.