Are access tokens returned from Microsoft's v2 authentication endpoint valid for accessing the Excel REST API?
I receive an access token when going through the OAuth flow, and can access OneDrive endpoints such as:
GET https://graph.microsoft.com/v1.0/me/drive
But if I try to access an Excel endpoint such as:
GET https://graph.microsoft.com/v1.0/me/drive/items/{id}/workbook/
... I get 404 ResourceNotFound error
Note that I've registered for my Client ID via the Microsoft app registration portal
The v2.0 endpoint could works well for this API when I test with the work account. And I also reproduced this issue when I use the personal account.
Related
Have tried many ways via code and Postman and no luck of getting a state of subscription like you would get via this link: https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list - here via the site you get a list of subscriptions and their "state": "Enabled" as an example.
Have no problem of getting auth tokens using scopes below but then impossible to get subscriptions list. If I use token from Microsoft site, the call in Postman to get subscriptions works fine.
The site is using Azure Active Directory OAuth2:
Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
Using Postman I have tried getting subscriptions using these scopes along with auth token:
api://blah/.default - Invalid Authentication Token Audience
https://graph.microsoft.com/.default - Authentication failed
https://management.azure.com/.default - pass but 0 results
https://management.core.windows.net/.default - pass but 0 results
I guess when using the site you login as a user and password vs in the code using client app and app secret. Is this workflow even possible?
The registered app has all kinds of API permissions. Something this simple should not be so hard. The idea here is to programmatically check via console app if Subscription is "Enabled".
After debugging this via Postman it turns out to be a permissions issue where you have to add the application you created/using to authenticate to the Access Control (IAM) of the subscription. This post describes the error and resolution: The client with object id does not have authorization to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
If you have multiple capacities created then you have to add your application to all of those subscriptions. Then you will get a list and can then check each one.
I'm working on accessing personal documents of users using the API provided by Microsoft Graph, but I am having issue with authentication.
According to this documentation I can simply create an application, set the right scopes (etc.) and then aquire an access token for a given user - this is working perfectly right now.
Querying URLs like https://graph.microsoft.com/v1.0/me/drives works - I get a https://onedrive.live.com drive as a result.
What the API doesn't return is data about a second drive on https://{tenant}-my.sharepoint.com. I have tried accessing this data using the API Endpoint: https://{tenant}-my.sharepoint.com/_api/v2.0 using the Microsoft Graph authentication token. This returns the following error:
{
"error_description": "Unsupported security token."
}
How do I access the API of such an Office 365 OneDrive?
The sharepoint.com/_api/v2.0 API is not a Microsoft Graph API and it doesn't support Converged Auth tokens from the v2 Endpoint.
Accessing SharePoint Drives uses the same API as OneDrive and OneDrive for business:
/v1.0/sites/{siteId}/drives
For example, if you had a team site named "AwesomeTeam" you retrieve a list of drives for that site using:
/v1.0/sites/root/:/teams/AwesomeTeam:/drives
I'm trying to access the signed in user's Profile Photo in the context of an email app which uses EWS to connect to Office 365.
The app is registered on portal.azure.com with the following required permissions:
Office 365 Exchange Online -> Access mailboxes as the signed-in user via Exchange Web Services
Windows Azure Active Directory -> Sign in and read user profile
The EWS part works just fine, I'm able to sign the user in, get the access and refresh tokens, and perform EWS operations using "Authorization: Bearer access_token".
The part I'm having trouble with is getting the user's profile photo.
This is the docs I'm going by:
https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations
The API endpoint I'm trying to use is:
GET https://outlook.office.com/api/v2.0/me/photo
... with "Authorization: Bearer access_token" header.
The above API returns this response:
HTTP 403
{"error":{"code":"ErrorAccessDenied","message":"Access is denied.
Check credentials and try again."}}
What could be wrong?
According to the above docs, getting user's photo should be possible using the user.read scope.
The "Sign in and read user profile" permission I mentioned above has a tooltip saying "User.Read", so I believe that's the right scope
I've tried decoding my access token at jwt.io, it has: "scp": "full_access_as_user" - where is my User.Read scope, or does "full access" include "user.read"?
Any ideas?
This is because that you tried use v2 endpoint Rest API but you didn't register the Application with v2 endpoint.
User Photo API is only available on Azure AD v2 authentication endpoint, Not Azure AD and Oauth:
You need to go to Microsoft Application Registration Portal to register your Application. For more details , you can refer to this document.
Just for the record:
Since we were not able to use OAUTH2 APIs for this -
since and our app uses EWS (Exchange Web Services) already...
We just ended up using the GetUserPhoto command with the user's (account's) own email address.
Works fine.
I've created a sample MVC app using VS 2015 and used Azure AD Auth wizard. When I launch this web application, it asked me to register app with Azure AD (first time only) and then userid/password. I have entered Office 365/Azure AD account and successfully logged in. Everything is working perfectly fine and at the top right, I can see Hello "myname".
Now I tried to make REST call to Office 365 using RestSharp. It is giving me 403 error (access denied).
When I tried to use graph api url https://graph.windows.net/testname.com/groups?api-version=1.6, I am getting error unauthorized access.
Here is my test code with graph API call:
string url = "https://graph.windows.net/testname.com/groups?api-version=1.6";
var client = new RestClient(url);
client.ClearHandlers();
var jsonDeserializer = new JsonDeserializer();
client.AddHandler("application/json", jsonDeserializer);
var request = new RestRequest(Method.GET);
var queryResult = client.Execute(request);
I am using same code with O365 REST url for Office 365 call.
Why I am getting access denied in both cases if my app is already authenticated against Azure AD which is the base authentication. Also Request.IsAuthenticated is always true.
Isn't a single identity provider (AAD) used for Azure, Office 365 and related resources?
It's possible your app isn't configured to call the /groups endpoint of graph. While the end user is authenticated and you have gotten tokens for the Azure AD Graph (graph.windows.net), this access token needs to have a certain set of permissions to call the endpoints.
To configure these graph permissions, you can go to the Azure Portal, select Azure Active Directory, then App Registrations, and finally Required Permissions. The resource your calling is Windows Azure Active Directory and then you can look through the list of scopes for what you want to call.
Another great resource I'll recommend is the Azure AD Graph Explorer. This can help understand the type of data the graph can provide.
Edit: Checkout comments for answer. OP had used the OpenID Connect middleware (OWIN) and needed help getting an access token for a resource. In order to do this, you must use a combination of OWIN + ADAL. OWIN gets an auth code, and ADAL can exchange this auth code for an access token.
I'm trying to access the SharePoint [Online] REST API from an external application. I've registered it in Azure under an admin account and assigned it the appropriate user-delegated permissions (Office 365 SharePoint Online).
I use ADAL.js to make a call to acquireToken and use that token in my Authorization header. A valid-looking token is getting attached, but I'm getting the following 401 error in the response:
Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown
The acquireToken() method does take a resource param, and from what I've read online, this value for the SharePoint API should be https://[tenant].sharepoint.com, but that only returns a null bearer token.
What I do instead (which triggers the previous 401 error) is to simply set the resource to the app ID generated in Azure. That ends up getting set as a token in my localStorage cache. So that bearer token does return, but I get the exception.
Two questions:
What is the resource string, and what is the proper value to call on acquireToken(), seeing that calling it with my app ID (same thing I'm using as the client ID in my ADAL config) is the only value which returns a bearer token successfully? Is there a list of proper resource strings for each Microsoft API? I've been having trouble finding documentation on this topic.
Is the problem with my configuration on Azure?
Thanks!
To use the SharePoint online REST, we can use the discovery service REST to find the SharePoint service endpoint. You can find all the service resource id from the serviceResourceId of response.
You can also consider using the Microsoft Graph which exposes multiple APIs from Office 365 and other Microsoft cloud services through a single endpoint.
More detail about discovery service REST API, you can refer here.