Trying to use the Unified API to fetch all groups. Using this URL - https://graph.microsoft.com/beta/myorganization/groups but getting 403 - code: "Authorization_RequestDenied", message: "Insufficient privileges to complete the operation".
However, it seems like I do have the right permissions - I have Group.Read.All in my token scope which is what's required by this API - see here.
Could it be because I'm using the Office 365 Unified API as another service (acquiring a separate access token) alongside the old existing code that already uses graph.windows.net?
You should be able to get the results back if the token has Groups.Read.All scp claim. Make sure you are getting a token for the right resource resource=https://graph.microsoft.com/. If you are unsure you can use this tool http://jwt.calebb.net/ to parse and validate you have the right audience claim.
Getting groups (read) worked fine with me in unified API Preview, with the following permissions:
Read and write all groups (preview)
Enable sign-in and read user profile
Try adding "Read and write all groups (preview)" not "Read All Groups (Preview)"
However, if you are trying to create a group, you will need to also add another directory permission (unfortunately will need admin consent):
Read and write directory data
these are very weird behaviors from Office365 unified APIs, but we should excuse the APIs as you can see "beta" inside the endpoint URL.
Related
I am unable to fix the "Requesting Consent" status for an azure Data Factory Pipeline querying some Office365 (Graph) simple data (i.e. smtp addresses and UPN of my colleagues).
Can you suggest me something to check ?
I am adding 2 pictures showing where "Graph Data Connect" is easily enabled, and the always empty PAM (Privileged Access Management) portal.
New image: Graph Data Connect configurator
New image: Empty PAM portal
As per the error we could see its a permission issue where you need to be Granted Permission before querying in Graph to pass simple data (i.e. smtp addresses and UPN of my colleagues).
Here, are the steps how you can add permissions:
You have to create a API permissions service, you have to Grant Permission for reporting API, must allow your app the appropriate
permissions based on the API you wish to access.
Next you could navigate to API Permission in the left column under the Manage.
Then you can click on +Add Permission as shown in bubbles in the Snip.
Please grant the permissions Directory.ReadWrite.All and Users.ReadWrite.All.
At last I found what was missing: it was a licensing requirement, but nothing warned me about this in PAM page. Simply nothing was listed in it.
If you like, here are the requirements nowadays.
Have a nice day to everyone !
Julian
I am trying to use "https://graph.microsoft.com/v1.0/me/events" or "https://graph.microsoft.com/v1.0/me/onlineMeetings" to create online meeting programmatically.
I used help from many resources specially this
https://vikrantsdynamicsblogs.wordpress.com/2020/03/28/programmatically-create-the-teams-meeting/.
I have used this API to get token using password grant type
"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token" but the problem happened when I am calling "https://graph.microsoft.com/v1.0/me/onlineMeetings" I got 403 Forbidden
and when I am trying to call "https://graph.microsoft.com/v1.0/me/events" using the same access token I am getting this response
I have added delegate permission from Azure portal
Any Ideas why both are not working with me?
Authorization errors can occur as a result of several different issues, most of which generate a 403 error (with a few exceptions). We could refer to this doc to resolve Microsoft Graph authorization errors.
We cannot create online meeting via personal Microsoft account, if you are using work or school account, we need to ensure the account has the permission: OnlineMeetings.ReadWrite, if you are create online meeting via Application, we need OnlineMeetings.Read.All and OnlineMeetings.ReadWrite.All* permission, check this Create onlineMeeting and Online meetings permissions for more details.
I am attempting to create an event in a group via the Microsoft Graph Api.
I can currently Create/Update and delete groups however I am unable to interact with events inside these groups. I can also create events in calendars that are not inside a group
I have checked that I have all of the permissions as detailed in the documentation and I am not missing any that are listed. The only one listed for this API call is
Group.ReadWrite.All
However, I already have this permission (evident by being able to create and update a group)
If it helps, we are attempting to create shared calendars via the API, and it seemed that groups were the only way to achieve this.
To Replicate
Setup an application that calls the graph v1 API using application permissions. (Note: This issue does not occur with delegated permissions)
Give your application the following permissions
Group.ReadWrite.All
User.ReadWrite.All
Calendars.ReadWrite
Directory.ReadWrite.All
Send the following request (with the appropriate body):
POST /groups
This will work and so will the following request:
POST /groups/{id}/members/$ref
However, this request will return a 403:
POST /groups/{id}/calendar/events
and so will this
POST /groups/{id}/events
First of all, I am no developer. I manage an Office 365 server for my company and I would like to do some heavy reporting using excel.
I have learned of Microsoft Graph and how I could get my data with it.
I created an app in Azure Active Directory, and I tried to set it up.
I added authorizations for Microsoft Graph, including Read All users full profile.
I add one Read directory data permission for Windows Azure Active Directory too.
I clicked on the Grant Permission button.
In the manifest, I changed those parameters to true :
oauth2AllowImplicitFlow
oauth2AllowUrlPathMatching
Now from Excel (2016), I am trying to add a new OData Source, and tried
https://graph.microsoft.com/v1.0/users
I entered my credentials (as Global administrator) using the Professionnal Account tab, and unfortunately, I only get Resource Access Denied (Sorry if the message is not accurate, I get it in another language).
Could anyone give me a hand in telling me what I have missed, please ?
Thank you in advance.
I had similar issue and found that the problem might be that incorrect flow is being used to authenticate.
Warning: once you change your permission and grant them it may take up to 30 mins for the permission to be granted.
First of all, please check your access token (you can decode it easily using https://jwt.io. As a result you should receive this part in your decoded payload:
"roles": [
"User.Read.All"
],
If you don't see it it means that permission is not granted properly. As you wrote that you enter the credentials I assume that you use authorization code grant flow.
To resolve this you you can first check whether you granted application permission or delegated permission to your app. You can look at this page to see the difference. If you want to use application permission you can use client credential flow. If you want to use delegated permission you can use authorization code grant flow.
In application settings > Required permissions you can check which permissions you granted and correct it, if needed:
If you are using authorization code flow you can also add delegated permission to your app and check if new access code contains required role (keep in mind that some permissions might be available only in one of the categories - however, Users.Read.All is available in both).
Source
My goal is to list the calendar events of an Office 365 group using the Microsoft Graph API.
The endpoint used is https://graph.microsoft.com/v1.0/groups/{id}/events based on the documentation. Using the Graph Explorer, I'm able to get the information with my delegated permissions. The problem is when I make the same call using application permissions. I'm positive JWT token contains the required roles to make the call (Group.Read.All, Group.ReadWrite.All) but I'm getting the following error:
Access is denied. Check credentials and try again
Curiously enough, I'm able to get the group /v1.0/groups/{id} but whatever is related to it's calendar and events isn't accessible.
Using application permissions to look at group resources/contents is not currently supported. Please see known issues here: https://developer.microsoft.com/en-us/graph/docs/concepts/known_issues#groups-and-microsoft-teams.
If this is required for your scenarios, please vote for
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/18747862-app-authentication-to-retrieve-conversation-messag or
https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/suggestions/16851937-allow-application-only-consent-to-read-conversation
Both of which are about app-only access to group conversations (similar to group events).
Otherwise please create a new user voice request.