I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All
Related
I am trying to read emails of user a user in a tenant. The admin has granted consent for the following permissions:
offline_access AccessReview.Read.All AccessReview.ReadWrite.All Channel.ReadBasic.All ChannelMessage.Read.All ChannelSettings.Read.All Chat.Read ChatMessage.Read DelegatedPermissionGrant.ReadWrite.All Directory.Read.All Directory.ReadWrite.All Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadWrite MailboxSettings.Read openid profile TeamMember.Read.All TeamSettings.Read.All User.Read User.Read.All User.ReadBasic.All email
However, both in graph explorer and in PHP code, when I query the endpoint https://graph.microsoft.com/v1.0/users/<user_email>/messages, I get the error:
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store., Default folder AllItems not found.",
"innerError": {
"date": "2022-11-29T09:16:49",
"request-id": "2449c64a-9aa8-479d-8de4-923a2a306583",
"client-request-id": "5eb26a2e-54da-bba2-0adf-4fa7bca43df2"
}
}
What could I be doing wrong?
I followed this document https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-1.0&tabs=http
I can successful request the list api after add permission "
Directory.Read.All" to the application, while the create api returns an error
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-11-15T08:54:50",
"request-id": "46986851-590c-4687-b909-918e9d233f07",
"client-request-id": "46986851-590c-4687-b909-918e9d233f07"
}
}
is there any other permission required or some additional operations needed?
This is expected as the Create requests requires Directory.ReadWrite.All. You app seems to have only Directory.Read.All which is not enough for doing objects writes.
Trying adding Directory.ReadWrite.All to your app and trying again. Make sure it is granted by admin on Azure AD portal.
The GetChat API (https://graph.microsoft.com/v1.0/chats/{chatid}) from Microsoft Graph returns error 403 (Forbidden) for some chats when using application permissions. The application being used has Chat.Read.All permissions with admin consent granted. Also, the same application returns success for other chats.
Following are errors for couple of requests to get chat, that were tried using Postman:
1:
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2021-10-18T13:16:26",
"request-id": "79c2ca6f-5b85-44ed-a3da-ef3607630a41",
"client-request-id": "79c2ca6f-5b85-44ed-a3da-ef3607630a41"
}
}
}
2:
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2021-10-18T13:18:37",
"request-id": "5cfd4f22-8c25-4ecf-aa88-0c0c3df560d4",
"client-request-id": "5cfd4f22-8c25-4ecf-aa88-0c0c3df560d4"
}
}
}
You could try couple of things here -
Try the same API call in Graph explorer and observe if you still see this error. This will help in identifying if there is any issue with the token that you have generated.
You may have changed your API permissions after giving your application admin consent. When you give admin consent, Azure AD will take a "snapshot" of the permissions at the time of consent. Then if you change the permissions later, you will need to re-do the admin consent process again.
Personal accounts are not supported. Refer permissions here.
I am trying to add user using Microsoft graph API.
I have provided the consent for all the permissions required.
POST https://graph.microsoft.com/v1.0/users
Request body that is send to the post request.
{
"accountEnabled": true,
"displayName": "Adele Vance",
"mailNickname": "AdeleV",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bWH-d"
}
}
Error that is received in response
{
"error": {
"code": "",
"message": "No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:0ff49e4749deeaf2')/profile?api-version=AGSV1-internal'.",
"innerError": {
"date": "2021-02-04T10:41:56",
"request-id": "025218e1-191c-464f-adf3-f0cdc5fcebfd",
"client-request-id": "c071d220-2f14-d7fa-956e-cd45ccbdc735"
}
}
}
Is there something that I am missing?
I have also gone through the docs for adding user provided by Microsoft.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http
What you said in the comment is correct, the document has detailed instructions, it does not support Microsoft personal accounts.
You will have to check the end point are you using to authorize in order to obtain the token.
If you are using a tenant specific end point
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
Try replacing with the common endpoint
https://login.microsoftonline.com/common/oauth....
This "drives" me crazy... I have an AAD app with following application permissions with Admin Consent:
Directory.Read.All
Files.ReadWrite.All
Group.Create
Group.ReadWrite.All
GroupMember.ReadWrite.All
Member.Read.Hidden
Organization.ReadWrite.All
People.Read.All
Sites.FullControl.All
Sites.ReadWrite.All
User.Read
Request:
https://graph.microsoft.com/v1.0/groups/{id}/drive/root
Response:
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "5ad04144-d8af-48ef-b9d3-43dafedb5911",
"date": "2020-02-15T13:28:08"
}
}
}
Decoded Token:
There's no Retry header and I've tried for several hours now.
If I send the query using a token generated with Authorization Code grant and the scope Group.ReadWrite.All User.Read profile openid email, it works like a charm.