I want to create an application to get contacts from my Office 365 with v2 app model preview (https://msdn.microsoft.com/en-us/office/office365/api/use-outlook-rest-api#v2appmodelpreview).
But I have a problem with access to http://outlook.office.com/api/v2.0/me/contacts. After authorization I have the access token and the refresh token. Then I can get contacts information.
But after an hour my access token is invalid. Using refresh token I get a new access token. But when I try to access my contacts I received error "access token is invalid".
I try to do the same with Azure AD - everything is good. Can anybody help me?
Related
We have register new app in Azure AD use clientid and client secret to login and check other user details but now we removed all permission for the clientid and check using postman as well as from application,but its still login to app and able to get the other users details using https://graph.microsoft.com/v1.0/users for users and https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token for token. Question is how user is getting the access when all permission already revoked?
Even you revoked all permissions, please try resetting the signInSessionsValidFromDateTime user property to current date-time.
This must be performed by user or administrator.
By doing this, it deletes all the session cookies stored in user's browser that removes all the refresh tokens issued to application for a user.
Please ensure to have User.ReadWrite.All, Directory.ReadWrite.All permissions.
To revoke sign-in sessions from Microsoft graph explorer, try using the below query,
POST https://graph.microsoft.com/v1.0/me/revokeSignInSessions (Or)
POST https://graph.microsoft.com/v1.0/users/{user_id}/revokeSignInSessions
After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.
Please find below links if they are helpful.
References:
user: revokeSignInSessions - Microsoft Docs
App can still get data via Microsoft Graph API after user revoke permission from My Apps Portal
I am trying to create online meeting to get the join URL from Microsoft Team Meeting using Postman,but I am getting Forbidden (403) error even after I had provided Application (With Admin Consent) and delegation permission to "OnlineMeetings.Read.All", "OnlineMeetings.Read", "OnlineMeetings.ReadWrite.All", "OnlineMeetings.ReadWrite".
PS: I'm using acess token that I generated in Postman and this the same token I can create events to Outlook using Microsoft Graph
Some pictures about the issue:
Azure Application permission
Postman Token Generate that I'm using
The Issue - 403
A Event that I created with the same token (Outlook)
Could Somebody help me?
The permission required for creating online meeting is OnlineMeetings.ReadWrite Delegated permission based on Permissions.
I can see that you have added this permission into your Azure AD app from your first screenshot. But you didn't do the consent for it. In this case the permission won't be included in your access token. You can decode your token in https://jwt.io to verify it.
So please click on "Grant admin consent for {your tenant}" to do the consent.
I had the same problem until a fellow user reminded me of an important note. According to Microsoft, you have to use the Skype for Business PowerShell to create a policy for your AppId and then grant that policy per specific user on behalf of which you will want to book an Online Meeting.
Documentation for creating and granting the policy
Referenced SO question
How can I easily view the id token and access tokens returned from B2C? I know there are tools like https://jwt.io/ but I have manually copy and paste tokens from the URL. Surely, there has to be an easier way, no?
Setup
Create a B2C Web App called Token Viewer
set the reply url to https://jwt.ms
Give it access any published scopes
Execute a Policy
Open one of your policies
Change the app Token View
Clicking run now will get you an id token
Sample ID Token
Expand ACCESS TOKENS to obtain an access token
Review the Results
The following is a sample access token on https://jwt.ms
Sample access token
I'm trying to access the signed in user's Profile Photo in the context of an email app which uses EWS to connect to Office 365.
The app is registered on portal.azure.com with the following required permissions:
Office 365 Exchange Online -> Access mailboxes as the signed-in user via Exchange Web Services
Windows Azure Active Directory -> Sign in and read user profile
The EWS part works just fine, I'm able to sign the user in, get the access and refresh tokens, and perform EWS operations using "Authorization: Bearer access_token".
The part I'm having trouble with is getting the user's profile photo.
This is the docs I'm going by:
https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations
The API endpoint I'm trying to use is:
GET https://outlook.office.com/api/v2.0/me/photo
... with "Authorization: Bearer access_token" header.
The above API returns this response:
HTTP 403
{"error":{"code":"ErrorAccessDenied","message":"Access is denied.
Check credentials and try again."}}
What could be wrong?
According to the above docs, getting user's photo should be possible using the user.read scope.
The "Sign in and read user profile" permission I mentioned above has a tooltip saying "User.Read", so I believe that's the right scope
I've tried decoding my access token at jwt.io, it has: "scp": "full_access_as_user" - where is my User.Read scope, or does "full access" include "user.read"?
Any ideas?
This is because that you tried use v2 endpoint Rest API but you didn't register the Application with v2 endpoint.
User Photo API is only available on Azure AD v2 authentication endpoint, Not Azure AD and Oauth:
You need to go to Microsoft Application Registration Portal to register your Application. For more details , you can refer to this document.
Just for the record:
Since we were not able to use OAUTH2 APIs for this -
since and our app uses EWS (Exchange Web Services) already...
We just ended up using the GetUserPhoto command with the user's (account's) own email address.
Works fine.
I'm trying to create a script which connect to OneDrive (consumer) in order to get some file.
However, between consumer and enterprise and all those different azuread stuff I'm lost.
Is there a simple explanation on how do I get a token to access OneDrive in a daemon app?
To interact with OneDrive for the personal account, we can use the Microsoft Graph via acquiring the token form Azure AD V2.0 endpoint.
However, this endpoint doesn't support such scenario. The client credentials flow for Azure AD v2.0 endpoint only work for the organizational account.
As a workaround, you may consider get the access token and refresh token via the code flow and then using the refresh token to renew the access token. And you need to acquire the refresh token before it is expired. And based on the document the lifetime of refresh token for the personal account is up to 1 year(refer here).
And to acquire the access token and refresh token for OverDrive personal account you can refer the code flow from this document.