I'm getting the following when trying to authenticate using OAuth2 using the Java client library:
Error:
Code was 403
Msg: Forbidden
{
""error"": {
""errors"": [
{
""domain"": ""global"",
""reason"": ""insufficientPermissions"",
""message"": ""Insufficient Permission""
}
],
""code"": 403,
""message"": ""Insufficient Permission""
}
}
What could be causing this "Insufficient Permission" error?
If you are using Google Wallet Objects API, make sure that you share your Account in the Merchant Account with the Service Account Email Address (the one you got when you created your credentials - you can get this one from the cloud console https://cloud.google.com/console, the one that ends with #developer.gserviceaccount.com)
Login to the Merchant Dashboard, click on Account Management and then click on Share. Add the email to the list of users.
You'll also want to share your merchant account with any users you want to give preview access to your classes and discoverables.
Related
I logged into Azure Portal using my outlook user account and registered a new app, created a user-specific (not tenant specific) token and successfully accessed the mail list through outlook api. I want to do the same using tenant. So, I created a new Azure Active Directory Domain (mydomain.onmicrosoft.com for example) and added few users to it. I created a tenant-specific token and tried to access the following:
https://graph.microsoft.com/v1.0/users/username#mydomain.onmicrosoft.com/messages
but, I got the error below.
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"request-id": "576e0c7b-dc27-4d3e-b58e-37ac15346b2f",
"date": "2019-12-02T10:14:44"
}
}
}
Is this because my - username#mydomain.onmicrosoft.com - does not have a mailbox? What should I do to get a mailbox for this custom domain? How do I access the list of mails for any user in my custom domain through outlook api? Please advise.
PS:
https://graph.microsoft.com/v1.0/users/username#mydomain.onmicrosoft.com
The above endpoint gives the user details correctly. However,
https://graph.microsoft.com/v1.0/users/username#mydomain.onmicrosoft.com/messages
does not return the mail list
Is this because my - username#mydomain.onmicrosoft.com - does not have
a mailbox? What should I do to get a mailbox for this custom domain?
Yes, you are right. These users don't have a mailbox. You need an O365 subscription for your AAD, then you can assign the license to the users which you need a mailbox.
Reference:
Understand subscriptions and licenses in Office 365 for business
I want to learn Azure directory services, so I created a free Microsoft Azure account to play around with Azure, and then I created a new App registration at portal.azure.com. So I have this registered application in Azure with a Client ID, Tenant ID, and even a Client Secret, because I want to learn API permissions with this app.
Now in the Microsoft Graph Explorer, I want to try using API methods like Get Application and List Applications.
However, if I log in and run the API to list my applications (GET https://graph.microsoft.com/beta/applications), the response has an empty array of applications.
Also if I try to GET the specific app that I registered in AD, I get a 404: Resource Not Found found error.
What am I doing wrong? How can I use the Graph Explorer with my test Azure account so my registered application can be retrieved and edited with Microsoft Graph APIs?
More Details Below
When I run GET https://graph.microsoft.com/beta/applications in Microsoft Graph Explorer, I expect a list of my applications, including the one app I registered in Azure. Instead, here is the response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
When I run GET https://graph.microsoft.com/beta/applications/{client-id}, with my registered app's client-id, I expect all the details of my registered app, but instead, the response is error 404:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "*****",<--I commented this out
"date": "2019-05-28T20:17:11"
}
}
}
If this were a permissions issue, I would expect unauthorized errors instead of "resource not found". I've tried adding Microsoft Graph permissions to my registered App (Directory.Read.All, Directory.ReadWrite.All), but this hasn't helped.
This is nothing to do with Azure free account. If you login in Graph Explorer using outlook account, it will identify this account as a personal account(with tenant outlook.com). That's why you can not find the applications you created in your tenant.
It is recommended to create a new user in your tenant to do the tests.
Here are the steps.
1.Click Azure Active Directory->Users->New User. The username should be something like username#{your tenant name}(XXX.onmicrosoft.com)
2.After the creation, add the roles for this user.
I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api
Good day!
We need a calendar facility for the project that we're working in right now. For some reason, we are limited to using the Office 365 calendar or the outlook calendar. We stumbled upon the Microsoft Graph APIs which seems to be the right tool to fulfill what we want to do. So the idea is to create a Microsoft account which will be used as the main calendar where our wrapper(wrap the microsoft graph API calls) API can pull events from and eventually disseminate to client requests.
So here is what we've done so far:
Created a Microsoft account with the domain of #outlook.com
Plotted some calendar events using the said Microsoft account
Tried to follow this guide from the Microsoft site.
We agreed to create a wrapper API which will call the Microsoft Graph APIs but before this we tried to access the said APIs via postman. The problem is that postman cannot get any response from the endpoint of the /authorize API which is need to gain an access token to finally call the respective Microsoft graph APIs.
Now we do not know if we are trying to attack this wrongly or whatever. Do you have any idea what we are missing here? Thanks in advance and I hope someone can shed light in this matter.
UPDATE:
We were able to have some progress. After some time, we bumped in the azure active directory portal. We are now able to get an access token using this URL.
https://login.microsoftonline.com/<directory-id>/oauth2/token
Now when we are accessing the actual MS Graph API endpoint that we are supposed to call, we are receiving a 401 Unauthorized response even though we are using the obtained token from the previous API call. This is the URL that we are trying to get a response:
https://graph.microsoft.com/v1.0/me/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
This is all being done via postman first.
UPDATE:
We tried to grant every permission possible in the Azure Active Directory portal and confirmed the consent at
https://login.microsoftonline.com/<domain>.onmicrosoft.com/adminconsent?client_id=<client-id>
but unfortunately we're still hitting the 401 Unauthorized wall. In Microsoft Graph Explorer, everything is working fine. So what could be missing in our postman implementation that MS Graph Explorer is doing implicitly? Thanks in advance for any help!
UPDATE
After further reading, we've found out some important details. First, we've found out that there are two sets of APIs from Microsoft. One is the Azure Active Directory API and the other is the Microsoft Graph API. Both APIs use the same URL to get access tokens by using client credentials. Below is the URL:
https://login.microsoftonline.com/<directory-id>/oauth2/v2.0/token
Substitute the with your personal data from azure portal. Using this URL to get an access token, you need to supply some data in the request body.
client_id - client id of registered application in azure portal
client_secret - secret key of registered application in azure portal
grant_type - 'client_credentials' --> meaning you'll get an access token by using client credentials
scope - 'https://graph.microsoft.com/.default' or 'https://graph.windows.net/.default' --> this controls which API are you going to access. The first one is to access Microsoft Graph API and the other is to access Azure Active Directory API.
We are now able to get an access token and use it to access the actual API that we need. Below is the URL of the said API:
https://graph.microsoft.com/v1.0/users/<azure-tenant-name>.onmicrosoft.com/calendar/calendarView?startDateTime=2018-08-01T00:00:00.0000000&endDateTime=2018-08-31T23:59:59.0000000
Notice that the URL does not use /me because upon reading using it required a signed in user. Unfortunately we are still getting the 401 Unauthorized error but the errors did change now. We are getting to errors intermittently. Sometimes the API call would return one or the other alternately. Below are the return of the API calls.
{
"error": {
"code": "InvalidTenant",
"message": "The tenant for tenant guid '<directory-id-goes-here>' does not exist.",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:29:27"
}
}
}
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<some-request-id>",
"date": "2018-08-22T04:54:11"
}
}
}
We feel we've moved a step forward. We're still not getting what we need though. Now the mystery are these 2 API call responses. What could be the reason of this? Thanks in advance for anybody's help
UPDATE
Upon even further reading we've discovered that there are authentication flows to get an access token. Depending on the API that you want to call, some authentication flows will not work on it because they need more details and security to execute themselves. So we've tried:
Client Credential Grant
Resource Owner Credential Grant
Authorize Code Grant
But still, unfortunately, we are still stuck in the previous error. We are getting 401 Unauthorized and the response payload is either InvalidTenant or UnknownError.
I just went through a similar problem yesterday, the 401 Unauthorized error.
I was trying to access the calendar of an employee via Microsoft's Graph API, but I was receiving the same response as you.
Resquest:
https://graph.microsoft.com/v1.0/users/employee-email/calendarview?startdatetime=2018-10-21T00:00:00Z&enddatetime=2018-10-27T23:59:59Z&$select=subject,categories,start,end,sensitivity
Response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "<request-id>",
"date": "<date>"
}
}
}
Then I decided to check if had the Office 365. He didn't. I'm just a developer, so I ask the guys from infrastructure to install Office 365 on the empleyee's machine, or add him to an enterprice account, or something like that.
After they finished, the requests to his calendar worked just fine :)
We have an O365 tenant, everything is configured out of the box. The tenant is placed in the German cloud and not in global (office.de).
We also developed an Office Add-in that authorize access to sharepoint using OAuth 2.0.
First, we initiate a request for a code to this url:
http://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=client_id&redirect_uri=redirect_uri&state=state
and we get all values back including the code.
Then, we initiate a request for the Discovery Service to discover the services using this url:
https://login.windows.net/common/oauth2/token?client_id=client_id&redirect_uri=redirect_uri&resource=https://api.office.com/discovery/&grant_type=authorization_code&code=code
In the global cloud everything is ok and we get the list of services we need but in the German cloud we get the following error:
{
"error": "invalid_grant",
"error_description": "AADSTS90051: Invalid Delegation Token. Invalid national Cloud ID (1) is specified.\r\nTrace ID: 52f8aa2b-9f98-4ba6-b778-c0ba484a3c00\r\nCorrelation ID: 67100192-82c8-41ea-a5ca-fd9872caaf2e\r\nTimestamp: 2018-02-08 06:31:18Z",
"error_codes": [
90051
],
"timestamp": "2018-02-08 06:31:18Z",
"trace_id": "52f8aa2b-9f98-4ba6-b778-c0ba484a3c00",
"correlation_id": "67100192-82c8-41ea-a5ca-fd9872caaf2e"
}
The same error occurs when we try to change the url to https://login.windows.de/common/oauth2/token
I think that you can use client crendetials flow to achieve that:
1.Request the access token for the Office Discovery service API:
POST https://login.microsoftonline.de/{{yourtenantId}}/oauth2/token?client_id={{client_id}}&client_secret={{client_secret}}&grant_type=client_credentials&resource=https://api.office.com/discovery/
2.Use the access token in the head and use the Office Discovery API:
Additional: If you want to get id_token and use it, try to use https://login.microsoftonline.de as the AAD Athorization endpoint in your request. I didn't test, but it should work.
Hope this helps!