I tried to receive all events for an Microsoft 365 User. It's a business license and a add an App with all User/Mail/Calendar Permissions (also consent granted) to Api permissions.
When running this command or some similar like in the documentation I got 403
Client error: `GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxx/events` resulted in a `403 Forbidden` re
sponse:
{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
What did I do wrong? I also tried the Graph Explorer (with logged in user).
Are the permissions you are assigning delegated or application permissions?
If you are using application permissions for your App Registration then you need to give access on the user's calendar to the app (probably by using a new service principal on exchange online).
If you are using delegated permissions then you should check the access token you are getting for validation in jwt.ms
Bear in mind that Graph explorer with logged in user needs different permissions than your App Registration. ( it's a different app registration altogether )
Seems like I had the same issue https://learn.microsoft.com/en-us/answers/questions/1165285/microsoft-graph-get-outlook-calendar-events-403?page=1&orderby=Helpful&comment=answer-1168253#newest-answer-comment
The fix was to remove all the other permissions and just give it
Related
We have a published app in the Teams App Store.
We want to let the bot to have access to Teams Files. This is possible using Graph Application Permissions.
But there's a small problem, the "Files.Read.All" and "Files.ReadWrite.All" seems like overkill to our clients and they are not going to let us access all SharePoint resources just to upload a file into Teams Directory.
Resource-specific consent looks like a solution for our purposes.
However, after checking the documentation and samples we've found out that there are no "Files.ReadWrite.Group" and "Sites.ReadWrite.Group" resource-specific consent permissions.
Despite that, we tried to add them but got an error during the app installation process.
When we're requesting the channel information from graph api using resource-specific consent permissions we get:
{
...
"filesFolderWebUrl": "https://example.sharepoint.com/sites/RSC/Shared Documents/General",
...
}
If we try to request GET {filesFolderWebUrl} with auth token we get 401 UNAUTHORIZED.
We also tried to use https://example.sharepoint.com/_api/ and it fails with:
{
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
The GET https://graph.microsoft.com/beta/sites/ request returns blank response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
"value": []
}
Is there a way to get access to Teams Files using resource-specific consent? Any help would be appreciated.
As an alternative to RSC you could use SharePoint Site collection Level Permission
aka "The SharePoint flavour of RSC"
using the ``Sites.Selected` Graph permission.
This will allow a Customer Admin to grant your app/bot access to specific SharePoint SiteCollections.
While this does not give the 'automagical' permissions when a Teams App is installed in a team, it will allow you to use App Permissions with a scope that is both controllable, and smaller than 'entire tenant'
See:
PG Blog Bost & Demo:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Blogpost with samples : https://dev.to/svarukala/use-microsoft-graph-to-set-granular-permissions-to-sharepoint-online-sites-for-azure-ad-application-4l12
Create Site Permission: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
Team (group) resource-specific consent doesn't currently support access to the team's files.
There are some new graph scopes (preview) you could try:
Files.Read.Selected - allows read access to files user can select.
Files.ReadWrite.Selected - allows read/write access to files user can select
Files.ReadWrite.AppFolder - allows access to files in the "app folder". This one looks promising in your case.
These are new, and in "preview" state at the moment of writing, but already available for the apps. Disclaimer: I have not tried them myself yet, just discovered recently.
I'm currently trying implement an app to read calendars only for a group that's permitted to the app. The idea behind this is that when I want to add a another calendar all I'd have to do is add the object to a specific o365 group. I'm taking the application approach over delegation that way I don't have anything actually logging in to utilize the app. Ultimately I'd like to stay away from any of the *.All permissions for security reasons.
Steps taken :
- created o365 group
- added resource objects and one user service account (just for testing) to the group
- registered app
- generated secret
- assigned group to the app
- granted admin consent to groups.selected via the azure portal
When I run a GET for group/{id}/members :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'request-id': '473410a8-4db4-49d6-8d2c-92b9fbd4edb1', 'date': '2020-03-05T14:59:28'}}}
As per the docs
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
If you are using Application permissions to Get Members for a group. you will need User.Read.All, Group.Read.All, Directory.Read.All.
The usual issue is not granting that permissions to the application in Portal.azure.com and admin consenting it.
If you're confident with that. Then I'd eliminate your code as being the issue by using something like postman with your app id and client secret. We have a sample Postman collection here https://learn.microsoft.com/en-us/graph/use-postman . for delegated permissions you can use our Graph Explorer playground.
MS docs says:
Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change.
https://learn.microsoft.com/en-us/graph/permissions-reference
I'm wondering if we just found a bug in the MS Graph API. I'm trying to access a different user's inbox mail rules via MS Graph. Here's what I did:
1.) Registered an application on the V1 Azure AD Endpoint, with ALL delegated permissions (including MailBoxSettings.Read and MailBoxSettings.ReadWrite)
2.) Granted access to the application using a global admin account
3.) Got a Graph Bearer Token for the tenant & proper permissions:
4.) Delegated mailbox access (full access) to my Global Admin account in Exchange Online settings:
5.) Verified that I have access to the users inbox via Graph:
6.) Attempting to list messagerules for this user fails:
Note that retrieving the current (global admin) user's mail rules works without an issue:
GET /https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messageRules
This tells me that there is probably a bug in MS Graph - or am I maybe missing something?
Thanks in advance
Ben
I have tried this, and I have get the same error. As my understand, we can not get the other's email rules. If you want to use this case, we can submit this issue on the github Issue
To read other users emaill inbox you need Application Type permission set rather than Delegated access.
Follow this link
https://learn.microsoft.com/en-us/graph/auth-v2-service
I am writing a .Net Core 2.0 MVC-like app where users log in and then do such operations on an AAD B2C tenant such as add new user, edit user, delete user etc.
Listing and adding users was pretty easy to do, but now when I try to remove certain users, I get a 403 Forbidden error. I'm assuming it's because I missed permissions somewhere, but I don't really know where.
I have enabled literally ALL possible App permissions in my AAD B2C Tenant b2c-extensions-app and most of the ones that sound right (30 app+30 delegated) in apps.dev.microsoft.com. I added the account I log in to test to owner list, too. Any clues on why I keep getting those errors would be much appreciated. What are the things I could have missed?
// I found out that to delete users, Directory.AccessAsUser.All is required. I already have it in delegated permissions but I keep getting the same error.
// Yes, I did add myself as owner to b2c-extensions-app and I also added literally every possible permission to it. Windows Azure Active Directory has 7+9, Microsoft Graph has 37+78.
// Okay it seems that the same error occurs when I try to edit a user's password (or any contents, really), too.
Did you setup your permissions through Azure portal or PowerShell?
Delete permissions for a B2C application must be created using PowerShell.
You can find instructions on this page of Microsoft Docs, under the section 'Configure delete permissions for your application'.
Let me know if it helped!
I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.