Develop Reference

Return 401 Unauthorized when use Graph API to read calendar and mailbox setting

I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All

Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All

Question about Create oAuth2PermissionGrant (a delegated permission grant)

I followed this document https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-1.0&tabs=http
I can successful request the list api after add permission "
Directory.Read.All" to the application, while the create api returns an error
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-11-15T08:54:50",
"request-id": "46986851-590c-4687-b909-918e9d233f07",
"client-request-id": "46986851-590c-4687-b909-918e9d233f07"
}
}
is there any other permission required or some additional operations needed?

This is expected as the Create requests requires Directory.ReadWrite.All. You app seems to have only Directory.Read.All which is not enough for doing objects writes.
Trying adding Directory.ReadWrite.All to your app and trying again. Make sure it is granted by admin on Azure AD portal.

Microsoft Graph GetChat API returns forbidden error for some chats

The GetChat API (https://graph.microsoft.com/v1.0/chats/{chatid}) from Microsoft Graph returns error 403 (Forbidden) for some chats when using application permissions. The application being used has Chat.Read.All permissions with admin consent granted. Also, the same application returns success for other chats.
Following are errors for couple of requests to get chat, that were tried using Postman:
1:
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2021-10-18T13:16:26",
"request-id": "79c2ca6f-5b85-44ed-a3da-ef3607630a41",
"client-request-id": "79c2ca6f-5b85-44ed-a3da-ef3607630a41"
}
}
}
2:
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2021-10-18T13:18:37",
"request-id": "5cfd4f22-8c25-4ecf-aa88-0c0c3df560d4",
"client-request-id": "5cfd4f22-8c25-4ecf-aa88-0c0c3df560d4"
}
}
}

You could try couple of things here -
Try the same API call in Graph explorer and observe if you still see this error. This will help in identifying if there is any issue with the token that you have generated.
You may have changed your API permissions after giving your application admin consent. When you give admin consent, Azure AD will take a "snapshot" of the permissions at the time of consent. Then if you change the permissions later, you will need to re-do the admin consent process again.
Personal accounts are not supported. Refer permissions here.

MS Teams: can not fetch channel messages with Graph API using an application token

I have created a test application which is requesting adminconsent from a MS teams admin with the following scopes :
openid offline_access channelmessage.read.group channelmessage.read.all chat.read chat.readbasic chat.readwrite user.read.all channel.readbasic.all directory.read.all group.read.all groupmember.read.all organization.read.all people.read.all presence.read.all team.readbasic.all
I am using an application token to fetch ms teams organization data like users, channels, teams etc. I have managed to fetch with Graph API the user, channel, teams data of an organization,
but when I tried to fetch messages
with
https://graph.microsoft.com/v1.0/teams/team_id/channels/channel_id/messages
I am getting the following error:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-03-03T22:23:47",
"request-id": "a279044a-ab9e-4c18-af71-5a65ea7cee86",
"client-request-id": "a279044a-ab9e-4c18-af71-5a65ea7cee86"
}
}
}

When you are using application permissions you need to you must request access.For details, see Protected APIs in Microsoft Teams.

serviceNotAvailable when accessing drives with app permissions

This "drives" me crazy... I have an AAD app with following application permissions with Admin Consent:
Directory.Read.All
Files.ReadWrite.All
Group.Create
Group.ReadWrite.All
GroupMember.ReadWrite.All
Member.Read.Hidden
Organization.ReadWrite.All
People.Read.All
Sites.FullControl.All
Sites.ReadWrite.All
User.Read
Request:
https://graph.microsoft.com/v1.0/groups/{id}/drive/root
Response:
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "5ad04144-d8af-48ef-b9d3-43dafedb5911",
"date": "2020-02-15T13:28:08"
}
}
}
Decoded Token:
There's no Retry header and I've tried for several hours now.
If I send the query using a token generated with Authorization Code grant and the scope Group.ReadWrite.All User.Read profile openid email, it works like a charm.