I am currently using the Microsoft graph API to get events from Outlook, but I would like to change to the calendarView endpoint instead. However, I am facing a number of challenges when using delta links on other users calendars with delegated access.
My first call to the delta endpoint works as intended, but when I try to use the link in #odata.nextLink for next delta data I get an permission error - and can't see what should cause this error
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2022-12-06T18:03:31",
"request-id": "961ca04c-0000-0000-0000-000000000000",
"client-request-id": "2dc7f5ea-0000-0000-0000-000000000000"
}
}
}
Delta querying works fine when done on the events endpoint so I am a bit lost in what to check for?
As you said you are facing challenges while using delta links on other users calendars with delegated access. For accessing other user data ,which required application permission , where as delegated permission required user to signIn , please check the doc for more info regarding delegated permission vs application permission .
Could you please try adding Calendars.Read application permission instead of delegated permission - https://learn.microsoft.com/en-us/graph/api/event-delta?view=graph-rest-1.0&tabs=http.
Hope this helps
Thanks
I ran into this issue recently and found a partial answer at https://learn.microsoft.com/en-us/answers/questions/587998/deltatoken-for-calendar-events-requiring-elevated.html
I asked my Active Directory admin to give manage access for the account associated with my bearer token, and the delta events are now working. That is, myuser#example.com now has manage permissions for shared-calendar-user#example.com. This isn't ideal, but it's acceptable for my use case.
Related
I'm trying to access reports from Graph API using the Graph Explorer. However, it throws 403 Unauthorised errors.
For example the request:
GET https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')
throws the following error
{
"error": {
"code": "S2SUnauthorized",
"message": "Invalid permission.",
"innerError": {
"request-id": "fda8c3ec-1949-46a9-b179-e1017f7e94ab",
"date": "2020-04-02T01:01:08"
}
}
}:
According to the documentation this requires the permissions 'Reports.Read.All'
When looking at the permissions I have in the explorer it says that Reports.Read.All permission is 'consented'
This worked without issues in early December when I was first testing this, so unless something changed I don't know what is going on.
Am I misunderstanding what consented means in this context, or is this a problem with the Graph Explorer as this permission is marked as 'preview'?
Regardless of the source of the problem, does anyone know a way around this/how to fix it?
Please make sure,
try repro the above using MS Graph Explorer with your tenant!!
if you're using delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user the appropriate Azure AD limited administrator role
Let me know still you can repro the issue.
I'm attempting to get tasks assigned to a specific user from the Graph API, so based off of the sample query in the graph explorer i'm using this endpoint
https://graph.microsoft.com/v1.0/users/<user-email>/planner/tasks
Which works fine for whatever user I'm signed in as, but attempting to get tasks for a user I'm not signed in as will always return with a 403 and say I don't have the required permissions. Group.ReadWrite.All is granted by admin, and according to the graph docs, that should be fine, but no luck.
I've also just created a new demo tenant and one by one granted permissions in the graph explorer with admin and still no luck! So i'm doubting the issue really is permissions. And for the record I've tried v1.0 and beta endpoints, and I've attempted this in a SPFx Web Part, and it doesn't work in practice either.
Not sure that it will help, but this is what is being returned each time:
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "b02e3529-a4ae-4825-b4e6-7fc9b1fa228e",
"date": "2019-03-27T12:28:41"
}
}
}
Anyone else ran into this issue or know of a workaround?
Reading tasks for other people is not allowed. We are investigating app-only request support, which should enable this scenario.
I´m trying to call MS Graph API to get the Photo from a Group using Application permissions, but I´m getting an "Access is denied. Check credentials and try again."
According to this link:
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/profilephoto_get
App permissions are supported:
For user resource:
User.Read.All, User.ReadWrite.All
For group resource:
Group.Read.All, Group.ReadWrite.All
I´m getting an App token, and I can see those permissions:
"roles": [
"User.ReadWrite.All",
"Group.Read.All",
"Group.ReadWrite.All",
"Directory.Read.All",
"User.Read.All" ]
Seems a bug in the Photo endpoint for Groups, as curiously, I can get any User photo using same App token. None of the Photo endpoints works for Groups:
/groups/{id}/photo
/groups/{id}/photo/$value
/groups/{id}/photos
Am I missing something? is there any other permission required (not documented).
In case anyone from MS product team can take a look, here is one of the error Ids:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "ac884427-69ee-407e-b198-06bd6af5f4be",
"date": "2018-10-30T13:12:19"
}
}
}
Thanks!
I had the same use case, apparently it seems that it's a known issue documented by Microsoft here : https://learn.microsoft.com/fr-fr/graph/known-issues#permissions-for-groups-and-microsoft-teams
You must use a delegated permission and not an app permission.
Examples of group features that support only delegated permissions:
Group conversations, events, photo
External senders, accepted or rejected senders, group subscription
User favorites and unseen count
Just to add on the subject, with app permissions the endpoint V1.0 does not work to get photo :
Get - https://graph.microsoft.com/v1.0/groups/{groupId}/photo/$value
But it does work on beta endpoint :
Get - https://graph.microsoft.com/beta/groups/{groupId}/photo/$value
Nothing new on the Put call, cannot update a new group photo on V1.0 or beta endpoint.
The only way that I can update photo is really not secured, by using jwt Resource Owner Password Credentials.
We have an issue accessing the attachment(s) of an event created in a O365 Group when using the Graph. The event is created in the group calendar, the group is set to public and can be accessed by the user requesting the event. Using the Graph Explorer we can access the event by using the following:
https://graph.microsoft.com/v1.0/groups/groupid/events/eventid
However using the: https://graph.microsoft.com/v1.0/groups/groupid/events/eventid/attachments results in a 403 error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "af65c3ce-6f00-4137-817b-fa1a069d820e",
"date": "2018-08-06T09:02:26"
}
}
}
The issue can be replicated in either using the Graph Explorer or any other method. Obviously we have checked the permissions and Calendar.Read has been applied, but even after checking all permissions boxes available in the Graph Explorer (or AD App Registration) a 403 still occurs regardless of the selected permissions.
Any call to the attachment endpoint results in a success for events that are in a user’s calendar and it seems to be only occurring when retrieving events for a group. There seems no changes in behavior whether the group is public or private, nor using either the /beta or the /v1.0 endpoint.
The intellisense in the graph explorer does shows /attachment to be an option but always return a 403 when requested.
Any insights or tips on how to retrieve attachements for events created in a group would great.
I can reproduce your scenario from my end as well.
Tried using Graph Explorer, Console project and ASP.NET MVC (can download the sample from this link)
I have read through the attachment_get Microsoft document, however I can't find any API for your case. I presume there is no such function atm.
I recommend you to raise a ticket from your end to the OfficeDev.
PS: I had an unusual access is denied error when I tried to access group in ASP.NET MVC sample although I'm logged in with admin account, and it still shows access request is denied.
https://learn.microsoft.com/en-us/graph/api/resources/attachment?view=graph-rest-1.0
Events in group calendars do not support attachments.
Last year (an entire year after this question was asked) Microsoft finally clarified in the Graph docs that group events do not support attachments.
I am trying to create a worksheet using the Graph API and getting the below error. Everything on the URL seems right and I am unable to figure out what is causing the error. There is little help on the Graph API documentation also!
URL:
https://graph.microsoft.com/v1.0/me/drive/items/01FUAEYJMWQZF5VGFFL5G27P5AGS5M2FXD/workbook/worksheets
Error:
{
"error": {
"code": "AccessDenied",
"message": "Could not obtain a WAC access token.",
"innerError": {
"request-id": "44990b81-a8ee-489f-9fd8-d5f7c9a31bf1",
"date": "2018-05-07T14:02:08"
}
}
}
Microsoft documentation:
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/worksheetcollection_add
Any pointers to the solution or what I might be doing wrong is appreciated. Thanks.
According to this post, "WAC is basically a designation for the Office web apps".
So this error probably means that something is tripping up the Graph server (in the file access authentication logic?), but the reported error is not specific enough, hence the generic "WAC Access Token" error.
This worked for me:
Make sure the file is in Sharepoint, not OneDrive (Microsoft Graph doesn't seem to play well with Excel files stored in OneDrive - I think I saw this on Reddit)
Is the file extension .xlsx? (According to this answer, .xltm can cause this error)
Does your user have the Files.Read permission?
Make sure you're using Delegated User permissions from and not Application permissions (GitHub issue)