I have multiple Office365 private groups that I created using Outlook. I would like to be able to list, add and remove users using a Python script (or any other language). I am familiar with Microsoft graph API, and I have used it before.
I tried to use the graph API to manage the groups, but the permissions required to manage the group (Group.ReadWrite.All, GroupMember.ReadWrite.All) need an administrator's consent to be used. I cannot get admin consent within my organization, so is there another way to achieve this?
Related
I am writing a .NET desktop app that uses the Microsoft Graph API to access the contents of my OneDrive for Business storage. I am logging in to Graph using my Microsoft work/school account U1, in my organization O1. Another Microsoft work/school account, U2, in a different organization, O2, has shared a folder with me. The folder shows up in "Shared With You" when I browse my OneDrive interactively in a browser, and I can make changes to the folder there. It also shows up as a DriveItem in the returned list when my app uses the "sharedWithMe" API call documented here (with allowexternal set to true).
All good so far. The problem is when I try to actually retrieve the shared folder using the returned DriveItem. I am following the guidance in the doc page to use a call like
GET /drives/{remoteItem-driveId}/items/{remoteItem-id}
to retrieve the folder, and I have the "Files.ReadWrite.All" permission. I believe I am doing this correctly in my code, because it works fine on other items shared with me by users in my organization. However, with the folder shared by U2, this call fails with an "itemNotFound" error. I don't understand why this fails. Is this a problem with my code, or some configuration that needs to be done in my organization O1, or in their organization O2, or a combination? Or is what I'm trying to do just not possible across organizations?
I have found a couple other folks who have had similar problems, but the resolutions are inconclusive: see here, here, and here. These links have suggested a couple directions:
could this be a problem with some sharing setting on the part of organization O2? Unfortunately I don't have any control over this org. But if I can give them a clear request, preferably with some Microsoft docs to back it up, I think they would be receptive. For example, does organization O2 need to add/invite my account U1 as an external/guest user to their Azure AD? I don't know for sure if they've done that.
one of the comments suggested that my app would need to be a multi-tenant app for it to access resources in another tenant. I do not want my app to be multi-tenant in the sense of allowing people in other tenants to login to it, but I do want my account to be able to access resources in other tenants that have been shared with me. I tried changing the app registration for my app to multi-tenant, and that didn't make any difference.
in the multi-tenant vein, I found this Microsoft doc, which states "In the code of your multi-tenant app, get the authentication token for other tenants and store them in the auxiliary headers. The user or application must have been invited as a guest to the other tenants." In my code I am using Microsoft.Identity.Client.PublicClientApplicationBuilder to sign my account in and get an access token, using the authority for my tenant. It sounds like my access token is only valid for resources in my tenant - how do I get a token for another tenant in my code?
Thanks very much for any suggestions, be they pointers to docs, code suggestions, etc!
Is there a query or data element accessible using the Graph API that will allow you to distinguish a shared mailbox from a normal user in o365? I normally want to only sync users if they have certain licenses but also include shared mailboxes (which do not require a license).
A User and a Mailbox are two different things. A User is an account managed by Azure Active Directory, a Mailbox is an email destination managed by Exchange Online.
If you're asking how to determine which users have access to a given mailbox, this is not available through Microsoft Graph. You would need to use a different mechanism to determine a mailboxes configuration; the most common being Exchange Web Services or PowerShell (which is most likely using EWS behind the scenes).
I am using ng2-adal to integrate my Angular app with Azure AD login. My application should only be accessible to certain groups within my organization. Currently when I query the adal-service for user-info the jwt doesn't contain any groups information.
I figure I would query Microsoft Graph API to get /me/memberOf info but I get Access denied to this information and require an Admin to grant me permissions to view this data.
Is there any other way of getting this information or do I have to bug my IT dept to enable READ permissions for groups?
I'm afraid so, anything that looks at Groups requires Admin Consent.
It certainly seems reasonable that you should be able to see your own membership (/me/memberOf) with User.Read. That said, I'm far from an information security expert there may good reasons for not allowing it.
Regardless, I would highly recommend adding this suggestion to the UserVoice. They do have
Since Graph is a self-documenting language, I wanted to use this to my advantage and write PowerShell functions to automatically generate cmdlets based on metadata. I've got a lot of this complete, but am having problems figuring out scopes. Is there a way to find scopes? It's not stored in the metadata and the documentation doesn't have scopes listed for everything (for instance, nothing in Excel has scopes listed).
The Graph Explorer seems to request correct permissions, so that has access to this list somewhere.
It depends on which API you are looking for.
Scopes for Azure AD Graph API is at https://msdn.microsoft.com/library/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes.
There is a huge list for different parts of the Microsoft Graph API at https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes.
When you first sign in to Graph Explorer, you give it these permissions:
Based on the descriptions and the link above you can figure out what the scope name is for each of the items in the list. (E.g. the first one is Mail.ReadWrite).
When you create an application in Azure AD, you configure which applications it needs access to, and what access it needs. That results in the list which the user grants access to on first signin.
Service or daemon authentication to the Microsoft Graph grants access to a limited number of functions.
For example, to be able to work with Planner and tasks, you have to be logged in as a user. In other case, we can't access most of user details, we can't access user's files and so on.
Why service or daemon must have more permissions then now? In our case, service should automatically create Planner tasks and Calendar events for specific users or groups according to automatically registered events. Sometimes it should also create or add or read files in OneDrive of this user. Also automatically, of course. Due to Microsoft Graph restrictions, it is easier to use additional 3rd-party service to track tasks, or even write our own. The same situation with files.
Microsoft Graph looks like a powerful API, but due to its access restrictions it becames unusable when you need to made something automatically, without any user actions.
What is the reason for most of these restrictions?
Is there any walkarounds?
Office 365 works perfect with deamon applications but not in your usecase. It works great for modifying a user' calendar for instance. See here https://learn.microsoft.com/en-us/graph/api/user-post-events?view=graph-rest-1.0&tabs=cs
Apart from that, if you want to have something changed in the graph api. The best way to let Microsoft know is to create an item on UserVoice. This is to let users influence what features they need, maybe you can express your wishes there. https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests