I have an app defined in Azure that has permission to read Exchange mailboxes. I use Azure to get an access code and then access token, and can successfully read messages from the current user's mailbox. The issue I have is when the current user has delegate rights to a mailbox, this same process results in a 403 Forbidden error rather than the data. If I open up Outlook I can see the delegate mailbox, it's only when trying to access it via the o365 APIs that it fails.
Once I have my access token I'm asking for the data from this endpoint: https://outlook.office.com/api/v1.0/users/mailboxupn#foo.com/messages. As I say, works fine for getting email from your mailbox, but not for a mailbox to which you have delegate rights. I've also confirmed that if I log in and get an access token as the owner of the mailbox that has the delegated rights, I'm able to successfully retrieve data.
I've seen a few questions on this (on Matthias' blog) but no answers. Is there a way to do this?
Thanks.
The Office 365 REST API doesn't support to get the messages as a delegate. You may consider using EWS instead.
Below link maybe helpful:
https://msdn.microsoft.com/EN-US/library/office/dn641963(v=exchg.150).aspx
Hope it is helpful.
Related
I get the error "OrganizationFromTenantGuidNotFound" while trying to access to my inbox messages.
To explain I am trying to develop an app and in this app I need to access my inbox e-mails.
So I try to use the Outlook API and for that I created an APP with all demanded permissions "Email.Read, Email.ReadBasics, Emails.ReadAll...". I have an Office 365 Family subscription, and an active paid azure subscription. My question is why getting my personal information works '/users/{user-id}' but when accessing to emails I got this error ? I read a lot of docs and never get an answer... Maybe my subscription does not get me access to Microsoft Exchange Online License, or due to my old microsoft address "...#live.com" maybe it is not compatible, I dont't know, if someone can help me to clear it out, would be great. Oh, and abviously my Office 365 and Azure account are the same.
I tried, with 'client credentials flow authentication' (which give me the error 'need more privileges'), went back to Authorization Code Flow Atuhentication but then I get the OrganizationFromTenantGuidNotFound error. But only on /messages endpoint, the endpoint users/{user-id} works. Obviously I tried all threads I found, even with an Office 365 Developer account but don't really see the correlation with my problem here.
I am trying to use "https://graph.microsoft.com/v1.0/me/events" or "https://graph.microsoft.com/v1.0/me/onlineMeetings" to create online meeting programmatically.
I used help from many resources specially this
https://vikrantsdynamicsblogs.wordpress.com/2020/03/28/programmatically-create-the-teams-meeting/.
I have used this API to get token using password grant type
"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" but the problem happened when I am calling "https://graph.microsoft.com/v1.0/me/onlineMeetings" I got 403 Forbidden
and when I am trying to call "https://graph.microsoft.com/v1.0/me/events" using the same access token I am getting this response
I have added delegate permission from Azure portal
Any Ideas why both are not working with me?
Authorization errors can occur as a result of several different issues, most of which generate a 403 error (with a few exceptions). We could refer to this doc to resolve Microsoft Graph authorization errors.
We cannot create online meeting via personal Microsoft account, if you are using work or school account, we need to ensure the account has the permission: OnlineMeetings.ReadWrite, if you are create online meeting via Application, we need OnlineMeetings.Read.All and OnlineMeetings.ReadWrite.All* permission, check this Create onlineMeeting and Online meetings permissions for more details.
We are trying to use the SharePoint REST API to retrieve the list of hubs a user has access to. When I, as a SharePoint admin call the api (https://[tenant].sharepoint.com/_api/hubsites) I get the list of hubs correctly. However when anyone else calls the api they get a empty response. They have contribute rights to the SharePoint home site as well as the Hub and all connected sites.
Thanks
Based on Microsoft Documentation , this RESTful service should be "callable" by any user with read permission to the site.
Gets information about all hub sites that the current user can access.
Are you sure those users do have access to Hub sites? Can you share the empty responses you gerfrom those users calls?
My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.
How does an Office 365 administrator grant permissions for an email account to be accessed via the REST API? To be more specific: to grant the "Required Scope"
The Office 365 administrator at the company I work for and myself were on the phone for at least an hour with the people at mssupport_microsoft_com attempting to find an answer to this question. Both the first level and second level support people admitted they could not find the answer to this question. ??
The REST API is documented at: https://msdn.microsoft.com/office/office365/APi/mail-rest-operations.
Note that for each API endpoint there is a line that looks to me like a permissions value. For example for the "get messages" API there is:
"Required scope: Mail.Read". For the send message there is: "Required scope: Mail.Send" and for delete message there is: "Required scope: Mail.ReadWrite". Simple straight forward stuff.
I'm accessing my personal email for the company I work for and I am able to, via the aforementioned REST API's, send messages and fetch messages; NO PROBLEM. When I attempt to delete a message, the response is 403; Forbidden.
Assuming that my account has not been granted the correct permission for delete: Mail.ReadWrite, I contacted the Office 365 administrator at my company and requested that he review the permissions granted to my account and to grant me Mail.ReadWrite. He agreed that this must be the issue.
However, his training had not prepared him for this request. He didn't know how to do it. So, he contacted MS support to to find out how he(as the sole administrator) could grant my account permission to be accessed by the REST API. And, like I mentioned above, the ms people did not know how to administer this functionality.
I asked if there was an administrators guide ANYPLACE that would document this feature and the ms people didn't have a clue.
Anybody?
p.s. I'm accessing the api's with the python requests package.
Looking at the response in more detail revealed this is the problem:
{"error":{"code":"OAuthMissingForThisService","message":"Authentication for this service requires OAuth: outlook.office.com."}}