Get event using Microsoft Graph: ErrorAccessDenied [closed] - microsoft-graph-api

Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 days ago.
This post was edited and submitted for review 5 days ago.
Improve this question
I am expecting to get all of the details of an specific successfully created event in a JSON format.
I am executing this HTTPS GET request with the URI:
https://graph.microsoft.com/v1.0/users/{user_id}/calendars/{calendar_id}/events/{event_id}
with header:
{"Authorization": "Bearer {token}"}
No request body added
{user_id} , {calendar_id} , {event_id} & {token} all valid and verified, checked multiple times on Microsoft Graph Explorer.
Following the instructions from:
https://learn.microsoft.com/en-us/graph/api/calendar-list-events?view=graph-rest-1.0&tabs=http
I'm expecting a json like this example taken from documentation:
{
"value": [
{
"originalStartTimeZone": "originalStartTimeZone-value",
"originalEndTimeZone": "originalEndTimeZone-value",
"responseStatus": {
"response": "",
"time": "datetime-value"
},
"iCalUId": "iCalUId-value",
"reminderMinutesBeforeStart": 99,
"isReminderOn": true
}
]
}
However I get the following error in the response using Postman as previously hinted:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
with status: 403 Forbidden
The Roles inside the claim of my token are:
User.ReadBasic.All
Chat.UpdatePolicyViolation.All
TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All
ExternalItem.ReadWrite.OwnedBy
Schedule.ReadWrite.All
Calls.JoinGroupCall.All
OnlineMeetings.Read.All
Mail.ReadWrite
TeamsTab.ReadWriteForChat.All
TeamsAppInstallation.ReadForChat.All
OnlineMeetings.ReadWrite.All
User.ReadWrite.All
OnlineMeetingArtifact.Read.All
BookingsAppointment.ReadWrite.All
Calendars.Read
Mail.ReadBasic.All
ChatMember.ReadWrite.All,People.Read.All
Calls.InitiateGroupCall.All
TeamsAppInstallation.ReadWriteSelfForChat.All
MailboxSettings.Read
Calls.JoinGroupCallAsGuest.All
Bookings.Read.All
CallRecords.Read.All
Chat.ReadWrite.WhereInstalled
ChatMessage.Read.All
User.Read.All
OnlineMeetingTranscript.Read.All
Chat.Read.WhereInstalled
Schedule.Read.All
Calendars.ReadBasic.All
TeamsTab.ReadWriteSelfForChat.All
Mail.Read
Chat.Read.All
ExternalItem.Read.All
Chat.ReadBasic.WhereInstalled
Calendars.ReadWrite
Mail.Send
Chat.ReadWrite.All
MailboxSettings.ReadWrite
Mail.ReadBasic
ChatMember.ReadWrite.WhereInstalled
Chat.ReadBasic.All
Calls.AccessMedia.All
TeamsAppInstallation.ReadWriteForChat.All
ChatMember.Read.All
ChatMember.Read.WhereInstalled
Calls.Initiate.All
ExternalItem.ReadWrite.All,Chat.Create
TeamsAppInstallation.ReadWriteAndConsentForChat.All
I have also consented to all of the previous roles as Application and delegated permissions (if possible) with granted status.
I get the same error on graph explorer using the uri:
https://graph.microsoft.com/v1.0/me/events/{event_id}
I would much appreciate any assistance.
Update 1
audience in the access token
Update 2
I have already created a second app revoked and regranted all the necessary permission,execting the request, getting the same error.
Update 3
I have already created a second app granting it only the mandatory permissions,execting the request, getting the same error.

Related

Create Team, 400 Bad Request, Required functionality is not supported

I'm trying to create a Microsoft Teams team in Migration mode via the Graph API. However I get a 400 response that I can't figure out. The query is shared in the link below.
Shared Query
For those that don't want to view it that way, here is my request:
POST https://graph.microsoft.com/beta/teams
Authorization: Bearer ...
Content-Type: application/json
{
"#microsoft.graph.teamCreationMode": "migration",
"template#odata.bind": "https://graph.microsoft.com/beta/teamsTemplates(\u0027standard\u0027)",
"displayName": "SlackMigrationTest",
"description": "testing slack migrations",
"createdDateTime": "2021-01-14T00:00:00.000Z"
}
I created this based on the microsoft doc here.
The reponse I get is:
The remote server returned an error: (400) Bad Request.
{
"error": {
"code": "BadRequest",
"message": "Required functionality is not supported.",
"innerError": {
"date": "2021-01-20T15:51:21",
"request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05",
"client-request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05"
}
}
}
I'm sure its something obvious that I'm missing but any help would be greatly appreciated.
Here you are using the User Context token and trying to make the call. This API call only works in Application context as shown in the below screenshot.
So use Client Credential flow and set Application permissions and then make a call.
As you can see below, it worked for me with App token.
You cannot test it in graph explorer because the Graph Explorer gets user token.

How to update user's hireDate attribute in Azure AD using Graph REST API?

I searched for similar questions but did not find answer I was looking for.
My goal is to update all users in AAD with hireDate.
At first I tried to do so using client credentials flow.
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:client_credentials
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
After I got access code I called:
PATCH https://graph.microsoft.com/v1.0/users/[user1]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
Second try was using password flow (client and user credentials). I used my global admin [user1] credentials and called same HTTP request. Response was HTTP 204 (everything OK).
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:password
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
username:{{user1_upn}}
password:{{user1_password}}
Unfortunately, when I tried to update other [user2] it went like this:
PATCH https://graph.microsoft.com/v1.0/users/[user2]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
If I am using [user2] credentials to get access token then I can update [user2] hireDate, but can not update [user1].
Application permissions:
Application permissions
UPDATED:
Decoded access token has these permissions:
"scp": "Directory.AccessAsUser.All Directory.ReadWrite.All User.ManageIdentities.All User.ReadWrite User.ReadWrite.All"
UPDATED[2]:
both [user1] and [user2] has Office 365 E1 licences assigned (including SharePoint Online (Plan 1))
Am I doing something wrong? If anyone has a solution to share, it would be much appreciated.
Apart from the office licenses, the global admin user should have Sites.ReadWrite.All scope permission in the token to update the "hireDate" property for other users.

Error when createUploadSession on OneDrive graph api for the special AppFolder

I am attempting to create an upload session in the special app folder for my OneDrive app using the Graph API. My app have the following permissions:
Files.ReadWrite
Files.ReadWrite.AppFolder
offline_access
The request looks like this
https://graph.microsoft.com/v1.0/users/xxxxxx96-2e02-4300-8ab0-a05d73xxxxxx/drive/special/approot:/documentname.docx:/createUploadSession
gives the following error:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"request-id": "7447aa01-6685-4af0-998a-64abc9b14825",
"date": "2017-04-06T10:07:46"
}
}
}
I can create an upload session on the normal root folder without any errors:
graph.microsoft.com/v1.0/users/xxxxxx96-2e02-4300-8ab0-a05d73xxxxxx/drive/root:/documentname.docx:/createUploadSession
result:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.uploadSession",
"expirationDateTime": "2017-04-06T10:32:48.5252565Z",
"nextExpectedRanges": [
"0-"
],
"uploadUrl": "......."
}
The createuploadsession method does not support special/approot. As mentioned in the documentation, these are the only paths to use:
POST /drive/root:/{path_to_item}:/createUploadSession
POST /drive/items/{parent_item_id}:/{filename}:/createUploadSession
Just wanted to clarify, since people are sometimes referring to this thread still: This syntax actually is supported. Due to the flexibility of OData syntax/support, the docs are not always 100% comprehensive about every request path that works.
I believe the actual issue is that Files.ReadWrite.AppFolder is not supported on ODB/SPO/business accounts yet (as of 2022) - it is only for personal/MSA accounts. However, there is work in progress to bring this support to SPO in the future.
The two scopes that are mentioned above are:
Files.ReadWrite - grants access to content on the caller's mysite only
Files.ReadWrite.AppFolder - has no effect on SPO/business
Files.ReadWrite.All should work in the short term, until Files.ReadWrite.AppFolder is implemented on SPO/ODB.

Google blogger api and expired secret key.

I have already managed to add some posts to my blog using google api and oauth and ran into some problems. I have tried for days - or weeks - to find the best question to ask and I believe I have isolated the problem. Apparently the secret key only works only for one hour. but after an hour at this line:
$service->blogs->getByUrl("theurlofmyblog.blogspot.com");
I get this error:
Google_Service_Exception in REST.php line 118:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Some of the experts on forums have suggested that one must go to this address https://developers.google.com/oauthplayground/ and get a referesh token. But nobody has mentioned that how should we use that token. Do I put it inside the json file? There must be something like this - don't laugh please, this is supposed to be a suedo code -:
if(the key is expired)
use my referesh key and get me another key
Any experience?
As described in Google’s OAuth 2.0 documentation, you should receive a refresh token during the authentication flow. You should store that token someplace, then use it to get a new access token when necessary.
The exact procedure to exchange a refresh token for a new access token will depend on what OAuth client library you are using. In Signet (Google’s OAuth library for Ruby), for example, it’s done as part of fetch_access_token.

Google My Business API fails

Getting a strange error message and there is literally nothing on it anywhere I look. Granted access to Google My Business API, followed directions here;
https://developers.google.com/my-business/content/get-started
All went well, but the expected 200 response was actually the below;
{
"error": {
"status": "PERMISSION_DENIED",
"message": "The request was blocked. Quota configuration not found for the requesting project.",
"code": 403,
"details": [
{
"violations": [
{
"description": "The request was blocked. Quota configuration not found for the requesting project.",
"subject": "project:XXXXXXXXXX"
}
],
"#type": "type.googleapis.com/google.rpc.QuotaFailure"
}
]
}
}
Anyone have any idea how to add quotas in Google Developer console, or, alternately, if this message is a result of expired permissions perhaps? (Granted access in Feb, did not use until now?)
This is what you get when the project in question does not have Google My Business API access, as granted through their official process etc. When I used the correct project I got a 200 and all is well.
So sayeth the GMB folks themselves, who answered my email same day!

Resources