I am working on the integration of the outlook calendar with our app. I am trying to get the calendar events of the guest user. So far I have done the following steps.
Registered an app in the Azure Active Directory admin centre and added the following API permissions.
API permissions
Then I used the following API call to get the access token.
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
I used this token to get the user list which is working fine.
https://graph.microsoft.com/v1.0/users
Then I am using user_id from this result to call the following APIs
https://graph.microsoft.com/v1.0/users/{user_id}/calendars
https://graph.microsoft.com/v1.0/users/{user_id}/calendars/events
https://graph.microsoft.com/v1.0/users/{user_id}/events
I am getting a successful result for Member users but getting the following error for guest users
>AuthOMMissingRequiredPermissions
>The AadGuestPft token doesn't contain the permissions required by the target API.
Any Idea what am I missing?
To get guest users(external) you can use https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest' Graph API endpoint. This will give you all external users details in response. Event API will only work for the user within tenant, for external users who does not have license it will not work.
Hope this helps.
Related
I tried to receive all events for an Microsoft 365 User. It's a business license and a add an App with all User/Mail/Calendar Permissions (also consent granted) to Api permissions.
When running this command or some similar like in the documentation I got 403
Client error: `GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxx/events` resulted in a `403 Forbidden` re
sponse:
{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
What did I do wrong? I also tried the Graph Explorer (with logged in user).
Are the permissions you are assigning delegated or application permissions?
If you are using application permissions for your App Registration then you need to give access on the user's calendar to the app (probably by using a new service principal on exchange online).
If you are using delegated permissions then you should check the access token you are getting for validation in jwt.ms
Bear in mind that Graph explorer with logged in user needs different permissions than your App Registration. ( it's a different app registration altogether )
Seems like I had the same issue https://learn.microsoft.com/en-us/answers/questions/1165285/microsoft-graph-get-outlook-calendar-events-403?page=1&orderby=Helpful&comment=answer-1168253#newest-answer-comment
The fix was to remove all the other permissions and just give it
I've been tasked with a project to get attendance information from specific types of Teams. I have a service account that is already a member of these Teams, however it is unable to access an endpoint needed to resolve JoinWebUrls to meetingIDs (See example #3, 'Retrieve an online meeting by JoinWebUrl').
I have done the following thus far:
Create a new App Registration and assigning it 'OnlineMeetings.Read.All' as an Application permission (this process needs to run as a script, meaning that Delegate permissions won't work here)
Create a new Application Access Policy, assigned the aforementioned App Registration's App ID to it, and granted it to the service account.
Signed into MS Graph as the service account (using the 'password' grant_type) and retrieved the 'events' within the Team (via /v1.0/groups/$GroupID/events)
Extracted the JoinWebURL parameter from each of those events.
Step 5 would be to resolve the meetingID from the JoinWebURL, however when I all of the following requests fail:
GET /v1.0/me/onlineMeetings?$filter=JoinWebUrl eq '$JoinWebURL' (as the service account, which should be able to interact with the meeting)
GET /v1.0/users/$ServiceAccountObjectID/onlineMeetings?$filter=JoinWebUrl eq '$JoinWebURL' (as the service account to access it's own object's meetings, however this does seem to be the endpoint for Application permissions rather than Delegate permissions)
GET /v1.0/users/$ServiceAccountObjectID/onlineMeetings?$filter=JoinWebUrl eq '$JoinWebURL' (using the App Registration mentioned earlier, signing in with the 'client_credentials' grant_type)
GET /v1.0/me/onlineMeetings?$filter=JoinWebUrl eq '$JoinWebURL' (as the App Registration trying to access any meeting, however this does seem to be the endpoint for Delegate permissions rather than Application permissions)
Basically, I'm stuck. Is there something obvious that I'm missing? I'm also considering raising a support call with Microsoft, to see if the behaviour I'm experiencing is merely a bug.
Thanks in advance.
Events and online meetings are two different API's, you have created an event and trying to get online meeting details. That's the reason you are getting those errors. If you want to get event details please try this document.
I'm wondering if we just found a bug in the MS Graph API. I'm trying to access a different user's inbox mail rules via MS Graph. Here's what I did:
1.) Registered an application on the V1 Azure AD Endpoint, with ALL delegated permissions (including MailBoxSettings.Read and MailBoxSettings.ReadWrite)
2.) Granted access to the application using a global admin account
3.) Got a Graph Bearer Token for the tenant & proper permissions:
4.) Delegated mailbox access (full access) to my Global Admin account in Exchange Online settings:
5.) Verified that I have access to the users inbox via Graph:
6.) Attempting to list messagerules for this user fails:
Note that retrieving the current (global admin) user's mail rules works without an issue:
GET /https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messageRules
This tells me that there is probably a bug in MS Graph - or am I maybe missing something?
Thanks in advance
Ben
I have tried this, and I have get the same error. As my understand, we can not get the other's email rules. If you want to use this case, we can submit this issue on the github Issue
To read other users emaill inbox you need Application Type permission set rather than Delegated access.
Follow this link
https://learn.microsoft.com/en-us/graph/auth-v2-service
I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.
I am developing a multi-tenant web app managing the mail, contacts and calendar of users.
On the AzureAd management portal, I registered my app as multi-tenant and I manage to get OAuth tokens for both people out and inside my tenancy, replacing the tennantId by "common" when querying the Authentication Code and Token endpoints.
Now, I would like to access calendar, mail and contacts info of people who signed in and consented to give permissions to my app.
I started simple, by querying the basic user info of a user inside tenancy like this:
GET https://graph.windows.net/-tennantId-/me?api-version=2013-11-08
or
GET https://graph.windows.net/-tennantId-/users/myAdress#company.com?api-version=2013-11-08
{headers: {Authorization: "Bearer -accessToken-"}}
It works!
Now, how can I have access to information of users that are outside my tenancy? I tried
GET https://graph.windows.net/-tennantId-/me?api-version=2013-11-08
GET https://graph.windows.net/-tennantId-/users/address#outside.com?api-version=2013-11-08
GET https://graph.windows.net/common/me?api-version=2013-11-08
GET https://graph.windows.net/common/users/address#outside.com?api-version=2013-11-08,
I always end-up having a 400 error:
{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Invalid domain name in the request url."}}}
Any idea what I am doing wrong?
Ah-ah!
Forget the use of your tenant ID when talking with the Graph API if you develop a multi-tenant app with OAuth!
The equivalent to "common" when requesting a token for a user in or outside your tenancy is... "myorganization"!
This will work:
https://graph.windows.net/myorganisation/me?api-version=2013-11-08
Oh, it was clearly written in the doc, but... but... MICROSOOOOOFT!!!