Problem Description
I was trying to call this GET via Graph Explorer
https://graph.microsoft.com/v1.0/reports/microsoft.graph.getM365AppUserCounts(period='D7')
But it fails the following error:
The response content is not available in Graph Explorer due to CORS policy. You can execute this request in an API client, like Postman. Read more about CORS and understand how it works here.
What I've Tried so Far
So I went ahead and tried to set up a new application registration in Azure Portal, with a client secret. I've tried both Id Tokens and Access Tokens but I get the same results.
As far as API permissions, I'm not sure what I'm supposed to add to access the reports about M365 application usage. In my case I want to find out the forms usage.
I then forked the MS Graph collection into my local postman workspace and have the following values in the Authorization tab for the collection :
Access Token URL: https://login.microsoft.com/<tenantID>/oauth2/token
Client ID: (new app registration id)
Client Secret: (new secret)
It seems to generate a token no problem. I created a custom query under the MS graph collection and the authorization is set to inherit from parent. And when I check the headers tab, I can see it's using an Authorization header with the token.
But I consistently get the following error message in postman:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2022-10-26T19:52:48",
"request-id": "ggg-3d7b-ggg-a748-ggg",
"client-request-id": "sdfg-3d7b-47d9-a748-sdfg"
}
}
}
Specific questions
What API permissions are needed to run those reports?
any idea on why I'm getting the invalid token error? Is it because I am missing scope?
If i need scope what value do i supply?
Any help would be appreciated.
EDIT 1
I've updated the scope value in Postman to use:
https://graph.microsoft.com/.default
I've updated my Azure Application Registration to move all API permissions except "Reports.Read.All - Application"
In the specific Postman request, under the authorization tab, the value is set to "inherit from parent". Under "Headers" tab, I can see it adds the "Authorization" header with the value of my token. When I click on the "Go to authorization" hyperlink from the headers page, it takes me to the correct Authorization configuration section in the top level folder of the mS Graph collection.
After making these changes, I'm still getting the same error message "message": "Access token validation failure. Invalid audience.","
Related
My company is using Microsoft 365 Business Standard licenses. We are using email through these accounts. We also have a few shared mailboxes. We are trying to create an app that uses the microsoft graph application permissions (rather than the delegated permissions) so the application can access one of the shared mailboxes without needing to be authenticated under the current user.
This is the steps we have taken so far:
Within Microsoft Azure, we have an application in which we have granted application api permissions for Mail.Read, and we have accepted Admin consent.
We authorized as an app, not as a user, in the application using this endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, pointing out the required parameters for sending a request. Then, MS API builds this link:
https://login.microsoftonline.com/{some_string}/oauth2/v2.0/authorize?state={some_string}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&redirect_uri=http%3A%2F%2Flocalhost&client_id={some_string}
When we follow the link, we get to the standard authorization form on the site. After we log in, a link is created, where we take the code and create the token: http://localhost/?code={some_string}&state={some_string}&session_state={some_string}
When we try to hit this endpoint: https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages, we get this response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2020-09-14T11:22:30",
"request-id": "{some_string}",
"client-request-id": "{some_string}"
}
}
}
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Any help or direction on what needs to be done to make this query work would be greatly appreciated. Thank you!
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Yes you would need to send the AccessToken in the Authorization header, you should also include the x-anchormailbox header which helps route the request to correct mailbox eg
GET https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
X-AnchorMailbox: sharedmailbox#domain.com
The other thing you might want to check is to ensure you have the correct scopes in your token you can use https://jwt.io/ for that
In order to use application permissions you will need to use the client credentials auth flow (not the authorization code auth flow which uses delegated permissions). To get a token make a request against "/oauth2/v2.0/token" and specify "grant_type=client_credentials" in the request. See examples of client credentials auth flow here for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
I have a Logic App that is calling the Graph API to create lots of O365 Groups. For the creation, I am using Application permissions with a registered Azure app which works great.
However, I am now trying to hide O365 groups from the GAL.
I need to set these parameters:
{
"hideFromAddressLists": true,
"hideFromOutlookClients": true
}
I am having the same issue described here. But I can't figure out how to call the Graph API on behalf of a user, with Delegated permissions. I've tried setting up an Azure Managed Identity and setting it's permissions as per these instructions, but I am getting error:
"code": "ErrorGroupsAccessDenied"
"message": "User does not have permissions to execute this action.",
Can anyone help?
These are the App permissions I have set, but I am still getting "ErrorGroupsAccessDenied" "User does not have permissions to execute this action."
As your mentioned it requires to be called with delegated permission, so you can't get the access token just by MSI. According to the page you provided about MSI, it seems just use the service principal to verify the permissions. It still use application permission but not delegated permission. So please refer to the steps below to get the access token and then request the graph api.
1. Create an "HTTP" action to get the access token(we need to use username/password grant flow in this http request).
2. Use "Parse JSON" action to parse the response data from the HTTP action above.
3. Request the graph api to update the group(with the access token from "Parse JSON" action).
Please notice there is a space between "Bearer" and "access_token".
Within my application I generate an access token via
GET https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize?client_id=<CLIENT_ID>&response_type=code&response_mode=query&scope=user.read+mail.send+mail.readwrite&redirect_uri=https%3A%2F%2Fgraphresponse%2F&prompt=consent
to use the code on
POST https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
with application/x-www-form-urlencoded: grant_type=authorization_code&redirect_uri=https%3A%2F%2Fgraphresponse%2F&client_id=<CLIENT_ID>&scope=user.read+mail.send+mail.readwrite&client_secret=<CLIENT_SECRET>&code=<CODE>
So far so good, i receive a bearer token like this (formatted for readability):
{"token_type":"Bearer",
"scope":
"Mail.Read Mail.Read.All Mail.Read.Shared
Mail.ReadBasic Mail.ReadWrite Mail.ReadWrite.Shared
Mail.Send openid User.Read profile email",
"expires_in":3600,
"ext_expires_in":3600,
"access_token":"<TOKEN>"
}
and I can use the following endpoints
GET http://graph.microsoft.com/v1.0/me
POST http://graph.microsoft.com/v1.0/me/sendMail
POST http://graph.microsoft.com/v1.0/me/messages
but I get the following error
GET http://graph.microsoft.com/v1.0/me/messages
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "xxxxxxx",
"date": "2019-03-12T13:38:47"
}
}
}
Did I miss any configuration that is neccessary explicitly to read the current users inbox, or is there any admin configuration required?
As you are trying with authorization code flow so you need follow the below
step to access
https://graph.microsoft.com data.
Note:
Make sure you have office 365 user account registered
All Required permission grant
As the document explain first you need token request code
response_type = code
To do that there are two ways.
From postman request and From browser with your required credentials
Here I would show postman workaround you could also try it pasting on browser.
Postman Code Access Example
Here make sure in portal you have configure this URL as expected see the below screen shot:
To get v2.0 token request access code set request endpoint to:
https://login.microsoftonline.com/common/oauth2/v2.0/token
Content type to : application/x-www-url-form-urlencoded
See the screen shot below:
Now Click on Authorization tab and select type OAuth 2.0 and click on Get New Access
Token. See the screen shot below:
You Will prompt postman popup like below:
Enter Your necessary information here and click Request Token
In postman console body segment you will get access code for token request. See the screen shot below:
Copy the code for next use.
Now add a new tab on post man for token request like below:
In response you will get you access token like below:
Now with this token request to your expected endpoint for example http://graph.microsoft.com/v1.0/me
See the screen shot below:
In response you will get your endpoint data as expected
See the screen shot below :
If you have any more question just let me know Thank You.
I'm trying to build an application that uses Microsoft Graph to automatically create and read pages in OneNotes stored in SharePoint 365.
I can successfully do this using Graph Explorer as long as I am logged in, but can't get it to work using a bearer token in Postman
The error I am getting is:
Either scp or roles claim need to be present in the token
I successfully get an access token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
And passing in the grant_type, client_id, client_secret, code, redirect_uri and scope
Then I perform the following call, with the bearer token included in the header:
https://graph.microsoft.com/v1.0/sites
With the following getting returned:
{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"request-id": "fa442c72-4ffe-493b-a33a-8e9e78c94f09",
"date": "2018-01-19T09:56:34"
}
}
}
I have set up graph permissions as per below. I have also tried enabling ALL Notes permissions configured with the same result though
Graph Permissions Image
One post I found said to check http://jwt.calebb.net/ what is returned in the token, and I found that it doesn't contain any roles, so I wonder if this is the problem.
You may need to state your tenant in the url when getting the token :
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Thanks to Tsuyoshi Matsuzaki as seen here : How to use Application Permission with Azure AD v2
Your application can get access token using the following HTTP request
(OAuth). Note that you cannot use
https://login.microsoftonline.com/common/oauth2/v2.0/token (which is
commonly used) for getting the token. Instead, you must use
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, which
identifies the specific tenant.
The call that you mentioned "https://graph.microsoft.com/v1.0/sites" is not valid.
Also request to ~/sites/... routes may need other permissions in addition to Notes.ReadWrite.
Recommend to follow steps mentioned in the following references:
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
I am trying to develop a simple background app to connect to my onedrive account (work) and regularly download some files.
I followed this tutorial https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
I have registered the app here https://apps.dev.microsoft.com/portal/register-app
I have written down the client_id and client_secret
To get an access token I make a POST request to
https://login.microsoftonline.com/common/oauth2/v2.0/token
with the following form encoded data
{
'client_id': 'clientid here',
'client_secret': 'secret is here',
'scope': 'https://graph.microsoft.com/.default',
'grant_type': 'client_credentials',
}
I get back an access_token
{'ext_expires_in': 0,
'token_type': 'Bearer',
'expires_in': 3600,
'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciO---SHORTENED FOR BREVITY'}
Next I make a GET request (with Bearer header properly set) to https://graph.microsoft.com/v1.0/me
and get this eror response (which I get for any endpoint fwiw)
{
"error": {
"code": "BadRequest",
"message": "Current authenticated context is not valid for this request",
"innerError": {
"request-id": "91059f7d-c798-42a1-b3f7-2487f094486b",
"date": "2017-08-05T12:40:33"
}
}
}
I have these permissions configured in the app setting
Any ideas what might be wrong?
I'll file a bug to improve this awful error message. The problem is that you are making a request using application permissions (client_credentials flow) - where there is no signed-in user context. Your request is to /me, and /me is basically an alias for the signed-in user - and in this case there isn't one!
You should try a call to https://graph.microsoft.com/v1.0/users instead. But, before you do that. In the app registration portal, you've selected delegated permissions, but you are calling with application permissions. You should remove the delegated permissions, and select the appropriate application permissions - to call users, select User.Read.All for example. Then make sure to consent/reconsent your app by going to the /adminconsent endpoint.
Please also read more on permissions and delegated and application permissions here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
Hope this helps,
i used https://graph.microsoft.com/v1.0/users/{{Emailid}}/messages to get all the messages in my inbox
In clientCredential flow you are accessing as an with Client secret or with client certificate . So Graph API no linger understands who is me. So you need use https://graph.microsoft.com/v1.0/users/<Your_userId> or https://graph.microsoft.com/v1.0/users/<your_userprincipalname>.
eg.https://graph.microsoft.com/v1.0/users/1sd1353as..
or
eg.https://graph.microsoft.com/v1.0/users/John_doe#contso.com
Reference: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http