I am not able fetch mailFolders details for some user present in my tenant and I m able to fetch the user info.Using graph explorer to fetch details.
On top of that I have tried fetching mailFolders details for my admin account in the tenant (logged in with admin account) and it was successful.
I have already given the required permission to my application. Mail.read and Mail.ReadBasic.All. Both are the application permission.
Users are added into my Azure Active Directory as well as app.
The API GET URL is this one -
https://graph.microsoft.com/v1.0/users/*****#******.onmicrosoft.com/mailFolders
I am trying to fetch other user mailFolders while logged in with an admin account of that tenant, but getting the error Access Denied.
Error Access Denied
How do I fix this?
I tried adding users to graph app in Azure enterprise applications but this also didn't help.
I also modified mailbox permission on the Admin console for some of the users but this also didn't help.
Please help
Regards,
Apoorv.
There is still one permission is missing I think in the permissions tab "Mail.ReadWrite"
Also please check the token if the required scopes are present in there in https://jwt.ms/
Related
I have a question to ask about using Graph Explorer.
I logged onto Graph Explorer using my admin account which has the role of Exchange Administrator.
However, when I execute a query just to get another user's high importance email, it came back with forbidden.
The query is just a simple https://graph.microsoft.com/v1.0/users/john.doe#domain.au/messages?$filter=importance eq 'high'
I have already consented the permissions as you can see from the image below.
Can anyone be kind enough to point me in the right direction?
(Graph Explorer screen capture)
Thanks.
I guess that permission tab show the incorrect information. To access mail of another user you will need at least Mail.Read.Shared and Mail.ReadWrite.Shared permissions.
Probably due to security reason you will also need other permissions like User.Read.All
Mail.Read.Shared
Allows the app to read mail that the user can access, including the user's own and shared mail.
Mail.ReadWrite.Shared
Allows the app to create, read, update, and delete mail that the user has permission to access, including the user's own and shared mail. Does not include permission to send mail.
Resource:
Mail permissions
I made an app where the user logs in to their Office 365 account and I perform actions using the Microsoft Graph API. When I first started the app, I requested for little permissions such as profile and mail permissions. However, I now want to access the user's calendar and thus I added more permissions (Calendars.Read, Calendars.ReadWrite).
Now, when I try to get the user's calendar events, I receive the following error:
{code: ErrorAccessDenied, message: Access is denied. Check credentials
and try again., innerError: {request-id:
33074527-630e-41cf-bd00-4fcd5f0ac816, date: 2018-09-10T03:15:07}}
I noticed that once I added these calendar permissions, it didn't prompt the user to accept these new permissions so I think that's why I don't have access. Do I have to delete my app or something in order to get these permissions from the user? I tried to force the user to sign in again adding new permission requests to the scopes variable but it still didn't ask the user for these permissions.
No, you need to update the consent recorded for the user. My guess is you are using the Azure v1 OAUth2 endpoints, as this problem tends to crop up there more often than the v2 endpoints :).
The problem here is that the first time your user consented, Azure recorded their consent so they wouldn't be prompted again. That record captured the permissions you initially had configured on your app registration. Azure v1 is not "smart" enough to detect that you've added new permissions on your app registration since the user's consent was recorded, so it happily continues to issue tokens with the old permissions, skipping the user prompt.
To get the prompt to show up, you need to include a prompt=consent query parameter on the authorization URL, as documented here.
If you're using the v2 OAuth2 endpoints, this becomes a bit easier. With the v2 endpoints, all you have to do is include the new permission scopes in the scope query parameter for your authorization URL. Azure will detect that the user hasn't consented for them, and will prompt.
So how do you tell which endpoint you're using?
Did you register the app at https://portal.azure.com? You're using v1.
Are you using ADAL libraries in your code? That's v1.
Are you using MSAL libraries? That's v2.
Does your code send the user to a URL that has v2.0 in it? You guessed it, that's v2. If there's no v2.0 in it, it's v1.
we are using Microsoft Graph API for uploading files for business and personal accounts.
After the account logs in, we ask for some permissions, but we don't add the once needed for OneDrive. After the user explicitly requests to upload a file we send another request for an AccessToken including all scopes until now + files.readwrite.all. This was working perfectly until (maybe) a month ago. Now it works for business accounts, but not for personal accounts.
Steps that we do:
Redirect the user to login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmywebsite.com%2Fsignin-microsoft&response_type=code%20id_token&scope=openid%20offline_access%20profile%20email%20mail.readwrite%20mail.send%20contacts.readwrite%20calendars.readwrite%20people.read%20user.read%20files.readwrite.all&response_mode=form_post&nonce=636656...&state=CfDJ8MLMcPchE...
The user selects their account (whit which they are already signed in)
They get redirected to https://login.live.com/oauth20_authorize.srf with the following sreen:
The permissions are not added for our application and we don't get any error.
Here is also the response from the error page:
Error Info
"/pp1600/oauth20_authorize.srf?client_id=9d3c...&scope=openid+offline_access+profile+email+mail.readwrite+mail.send+contacts.readwrite+calendars.readwrite+people.read+user.read+files.readwrite.all&redirect_uri=https%3a%2f%2fmywebsite.com%2fsignin-microsoft&response_type=code+id_token&state=CfD...&response_mode=form_post&nonce=636...&x-client-Ver=5.2.0&display=host&uaid=521...&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&username=pesho..."
loginserverprotocolhandler(846)
HR=0x80041018
Method string:GET
URL:"/pp1600/oauth20_authorize.srf"
Query string:"code=5"
Server protocol:HTTP/1.1
Update: after a couple of tries i actually managed to grant access to one of my accounts for the OneDrive integration. Not really sure what changed. I was just logging in and out with different Outlook accounts in Outlook and in our app. After that, i tried the same process with a different account and it failed again. Every time I was trying this I was logged with the same account on both places.
One more thing that I noticed is that before the consent was for all permissions and now the consent screen showed request only for the files permission.
I want my application to access my users OneDrive for Business files (both read and write access). It should work as an alternative browsing client, so the user just has to login and then browse his files.
With personal OneDrive using the v2 Endpoint, it works flawlessly.
When I try to login my OneDrive for Business account I get an error stating that my application requires some privileges that only Admins can grant.
But.. From the app panel ( https://apps.dev.microsoft.com ) my application requires only permission that non-admin users can request (under delegate authorization). The Application authorization list empty.
I also tried to remove ALL the permission required, save, wait some minutes and retry.. and even without any permission required i still get the same error.
I tried making new application, checking all the permission, refreshing the app's key.. but i always get the same error. If i try to login the same account from other commercial application it works.
I also don't have access to any admin account to see a list of authorization required by my app.
I'm really out of ideas, what i can try?
I manage an Instagram client that has been approved with scopes basic and public_content. I'm trying to add the follower_list scope as well. Before Instagram's approval, the scope should work in sandbox mode with user=self. I have requested an access token with the follower_list permission, but I'm receiving an OAuthPermissionsException: This client has not been approved to access this resource.
Logging in to my Instagram account and viewing my Authorized Applications, the client is indeed listed with 'Access your friends list' as a permission. Other restricted endpoints work fine with user=self, such as comments and likes. It seems to just be an issue with the follower_list scope.
Any advice, or is this perhaps a bug on Instagram's part?
Update:
I received the follower_list permission from Instagram, and can now get the followers/followings for self. However the API currently does not support retrieving followers for any user other than self. So you can access the followers of the logged in user, but no one else.
You can only get logged-in users (self) following list, for this you need follower_list permission. You cannot get any other user's following list via API anymore.