I have a website which allows admin users to connect to their Office 365 account. From this I can read the calendars of all users and also get a user list. This all works fine.
The user rights that I ask are:
Sign users in
Read calendars in all mailboxes
Read directory data
Read all users' full profiles
Sign in and read user profile
Enable sign-on and read users' profiles
Read directory data
And these are the scopes: ["openid", "Calendars.Read", "User.Read", "User.Read.All", "offline_access"]
Getting all the users works fine with this call:
https://graph.microsoft.com/v1.0/users
However now I want to enhance the features so users are logged in automatically. So all I need is a call to get the current profile of the user so I can match the ID with the ID's in the application... I found this call and tried executing it:
https://graph.microsoft.com/v1.0/me
But I'm getting back this:
784: unexpected token at '{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'a6787ee0-4ba1-421f-a19c-beadf693b9eb' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "c767c4ee-0912-4744-a7e4-59a8a23626fe",
"date": "2016-10-22T01:26:54"
}
}
}'
What am I missing here?
Just to make sure, can somebody confirm that what I plan to do is possible:
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
From the error message, it seems you were using the app-only token which acquire using client credential flow to call the Microsoft Graph. There is no user context info in the app-only token. So it is not support to call this REST using this kind of token.
And based on the description, you were authenticating the users with OpenId connect protocol. To get the user info, we can retrieve these information from the id_token. And if you were developing ASP.Net web application, you also can get there information from ClaimsPrincipal class easily.
Have the admin user authenticate and give access (see rights above)
Sync the users so they exist in my webapp as well (and I have their ID's)
When another user is already signed in to MS, I want to detect this when they go to my webpage and sign him in as well in my webapp
The app is protected by Azure AD. So if you mean that the users already signed in to MS with Azure AD account, yes your app could detect this and sign-in the users.
Related
We have register new app in Azure AD use clientid and client secret to login and check other user details but now we removed all permission for the clientid and check using postman as well as from application,but its still login to app and able to get the other users details using https://graph.microsoft.com/v1.0/users for users and https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token for token. Question is how user is getting the access when all permission already revoked?
Even you revoked all permissions, please try resetting the signInSessionsValidFromDateTime user property to current date-time.
This must be performed by user or administrator.
By doing this, it deletes all the session cookies stored in user's browser that removes all the refresh tokens issued to application for a user.
Please ensure to have User.ReadWrite.All, Directory.ReadWrite.All permissions.
To revoke sign-in sessions from Microsoft graph explorer, try using the below query,
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions (Or)
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.
Please find below links if they are helpful.
References:
user: revokeSignInSessions - Microsoft Docs
App can still get data via Microsoft Graph API after user revoke permission from My Apps Portal
Good day
I follow this https://learn.microsoft.com/en-us/graph/use-postman part of Set up application API calls.
I'm able to get users via API: https://graph.microsoft.com/v1.0/users
but not able to get messages via API: https://graph.microsoft.com/v1.0/users/{ {UserId}}/messages, it show me error below.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2020-06-28T06:16:03",
"request-id": "c0c3d9d5-9fa5-47a0-8b81-df85663ba297"
}
}
}
API Permission granted as below, could anyone advise how to fix above error?
API Permission in Azure
Postman Request for get Token
Thanks for sharing the request-id,timestamp(date) and postman Snapshot. Your application is an multitenant application and needs an additional step to get the permissions approved(admin consent). Here are the steps:
In the azure portal(portal.azure.com) navigate to the enterprise application.
Change the application type filter to "All application" and search for your application.
Click on the application name and click on the permission menu.
Click on grant admin consent for tenant (refer screen shot below).
After the above step, you will be able to get token with all the approved permissions.
Personal Account
Your application is preauthorized to read the messages (email) for the users within your tenant. Yours personal account (Microsoft Account) emails are stored your tenant context or any azure ad tenant context. To read personal account emails, application need to call /me/message graph API with delegated permission.
I am working on a document management application, which users should be able to access folders in oneDrive, sometime work on the same document/file, edit, copy document in application and upload document from application to the oneDrive. And it means that folder should be available to all users who has right. I could make all works when I am using my own personal account, for example I am using this url for getting list of files from a folderX:"https://graph.microsoft.com/v1.0/me/drive/root:/folederX:/children"", all works perfectly. But When I am using business account it doesn't work. I authenticate via tenant ID and I get correct token, but after that I get 400 error.
Now, I am really confused if what I want to achieve here is really possible via oneDrive for business or we should use sharepoint? Because apparently folderX is shared with me in oneDrive business account and it doesn't exist in my own oneDrive.
Sorry if the question seems stupid but I am really confused here.
the error is:
This is error:
{ "error": { "code": "accessDenied", "message": "There has been an
error authenticating the request.", "innerError": { "request-id":
"230e946c-d81a-4bf1-903e-26d92c5441db", "date": "2019-09-20T10:12:38"
} } }
I understand that you are trying to use a personal Microsoft Account to access the files which have been shared with you in your customer's OneDrive for business. Correct me if there is any misunderstanding.
If so, you need to use the OAuth 2.0 code grant flow to get the access token.
Firstly, I assume that you have added your personal account as a guest user to your customer's Azure AD. And the file has been shared with your personal account. And the correct delegated permissions have been assigned in the App registered in your customer's Azure AD.
Request an authorization code like this:
https://login.microsoftonline.com/{Tenant ID of your customer}/oauth2/authorize?
client_id={app id of the app registered in your customer's Azure AD}
&response_type=code
&redirect_uri={redirect uri of the app registered in your customer's Azure AD}
&response_mode=query
&resource=https://graph.microsoft.com
&state=12345
You will get a response like this:
https://localhost/?code={code}&state=12345&session_state=54572324-6121-4add-85f8-22e3a815646b
Please copy the "code" here for late use.
Then you can send a request for access token:
Replace "jmaster.onmicrosoft.com" with your customer's tenant and modify the other values (including client_id, client_secret, redirect_uri and code) in Body.
After getting the access token, you can send a request to access the shared files.
https://graph.microsoft.com/v1.0/users/{user id}/drive/root:/folederX:/children
Please note that the "user" here is who shared the files with you.
I am working on an app where i have some users on azure ad and some users need to be externals(ex:gmail).Iam using microsoft graph api to invite users from external. All these users are have user administrator role in AD.
I am able to invite external user successfully with internal user credentials. But when i try to invite external user again with the invited user details i am getting
error :
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web apps.",
"innerError": {
"request-id": "2d6d6c29-4f13-4eeb-bae4-2d6cc0d2de00",
"date": "2019-05-27T13:22:20"
}
}
}
I am using postman to check these apis.I have attached the request details to get the jwt token.Can you please help here. Let me know if you need more info.
I can reproduce your issue if I add Google as an identity provider for B2B guest users.
I have also tried with Graph explorer. We can not even use this tool since the google account is not a microsoft account.
Maybe the only way to invite another guest user with the invited google account(isn't a microsoft account) is using Azure portal.
Google guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid=<tenant id> or https://portal.azure.com/<tenant id>
I created a new app registration in Azure Portal and added O365 SharePoint-Permissions.
I only allowed "Read user profile", what is the scope "User.Read.All". Then I request a token and authenticate as a user, that is global SharePoint-Administrator.
The access token I get contains: "scp": "User.Read.All", what is exactly, what I expected.
But if I use this token to read files from site collections, this also works. I can perform search queries with the User.Read.All Scope- what shouldn't be possible, because I only delegated the "Read user profile"-Permission to the app, that uses the token.
Any proposals, what I am doing wrong?