i'm using this URL https://login.windows.net/(the Tenant ID of the App that i made in Azure AD)/oauth2/token to create a Token for PowerBI API. my postman looks like this:
but when i use this Access token to do some operations like getting a list of reports in a Dataset i get 401 Unauthorized:
exactly which steps i have taken so far can be seen in this Question. I also haven't created a Service Principal, is that needed here? Am i missing a step?
I tried to follow all the steps, it's working fine for me.
Please check the API permissions provided for your registered app.
You can check the required permission API Permissions -> Add a permission -> Power BI Service and select the required permission.
For Instance, We need these permissions to access the datasets:
You can also try the same with the 'try it' feature from here:
Datasets - Get Dataset In Group - REST API (Power BI Power BI REST APIs) | Microsoft Docs
Related
I am attempting to use "v1.0/me/joinedTeams" to get all the joined teams for the currently authenticated user in my asp.net service. This works fine for external accounts that use a Microsoft identity (have a live account) but the same call returns a 400 Bad Request when I attempt to use an external account that uses a mail identity (no live account). The request is the same regardless of external account type. The token generated when authenticating as the mail identity external user looks correct when I inspect it.
I have been able to implement a workaround where I instead use the SharePoint REST service to get the groupId for the team site the user is apart of and then use the Graph call "v1.0/teams/{groupId}" to get that team. However, I need to do this for all the teams the external user has access to which slows things down quiet a bit.
I am aware of what looks like a bug in Graph when trying to make any Graph calls with any external user type, described here: https://github.com/OneDrive/onedrive-api-docs/issues/1039. I have also implemented the workaround for this issue which requires first accessing each site the user has access to by making some arbitrary call using the REST service. Then any subsequent calls using Graph should work. I do this for external accounts with a mail identity before trying to make the joinedTeams call but still run into the 400 response.
These workarounds will suffice in the short term but they increase my execution time significantly, especially when there is a large number of teams the external user is apart of. Any insight on a solution is greatly appreciated.
/me/joinedTeams is not available for personal Microsoft accounts. Se the table on this page
Is there any example how I can achieve following requirement:
I need to read Planner Plans from Group in an Azure Function trough Graph Api.
Application permissions are not supported, only delegated.
I tried with ConfidentialClientApplicationBuilder with OnBehalfOfProvider, but no luck. I do not know how to set UserAssertion in this case.
Also, username and password flow is not an option, because end user can use MFA.
Unfortunately Microsoft Planner APIs on Microsoft Graph do not support Application permissions (App-only) . This is confirmed in the docs here https://learn.microsoft.com/en-us/graph/api/planner-post-plans?view=graph-rest-1.0&tabs=http#permissions
Please vote up the feature request for this https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/5904632-application-permissions-to-task-api
I want to start doing some development with the preview edition of the Microsoft Teams APIs.
I currently have a solution working using the Azure AD v2 Endpoint but I wanted to get a working solution using the v1 Endpoint.
I can't find any Microsoft Teams permissions available in the Azure AD portal and I didn't see anything specifically about this in the Known Issues the Teams API.
Can anyone comment on whether there are any options for a pure v1 Endpoint solution using application registration available right now? If not, is it planned?
The v1 Endpoint uses the same permissions as the v2 Endpoint. The primary difference between the two is that v2 scopes can by dynamically requested during authentication while v1 Endpoint requires permissions to be pre-defined within the registration.
When using the Azure Portal, all of the permissions for Teams show up under "Microsoft Graph". For the Teams you'll generally need User.Read and Group.ReadWrite.All. The Azure Portal lists permissions by description (although you can see the underlying scope name in the tooltip):
Sign in and read user profile (user.read)
Read and write all groups (Group.ReadWrite.All)
Note that Group.ReadWrite.All does require Admin Consent. Before you can authenticate normal user's, you will first need to have an Administrator go through the Admin Consent process.
I'm posting this as the answer, because I'm pretty certain this will trip up other developers out there. Up to this point, when getting an access token for AAD v1 apps that use Microsoft Graph, you use "https://graph.windows.net" as the Resource ID. The interwebs are replete with this example, and I have it in my own code that I use for OneNote and other services.
Now with the Graph endpoint for connecting to Teams (and probably other things), the Resource ID you need to use is "https://graph.microsoft.com". Just ran through a quick test using an AAD v1 app with the Microsoft Graph API and Read All Groups permission. I'm sure there's an explanation out there from some MSFT person that might make sense, but I have not found it after many hours of searching the web.
Hope this helps someone.
I'm attempting to take advantage of the public preview of Microsoft Graph reporting APIs for retrieving Office 365 product usage data. I have an application registered for Graph that successfully executes Graph calls for non-reporting APIs (i.e. the access_token I generate with my app is successfully used to access users information for a tenant: https://graph.microsoft.com/beta/users) but when I try any of the report resources I encounter the below error:
Invalid scope claims/roles.
According to the documentation I've read this would seem to imply that my app does not have the necessary permissions for reports but this is not correct as I have confirmed that the app has the "Read all usage reports" application permission enabled.
Has anyone else encountered similar challenges with the Microsoft Graph reporting APIs and have any suggestions that I could try?
If you added this scope after you had already authorized the application, it may still be using the previous/cached list of scopes. You can force re-authorization by adding ?prompt=consent to your initial authorization URL. For example:
https://login.microsoftonline.com/common/oauth2/authorize?client_id={app id}
&response_type=code&redirect_uri={redirect uri}&prompt=consent
I'm trying to use Microsoft Graph from my app via REST API graph.microsoft.com/beta/schemaExtensions
Here is what I did:
Register app at https://apps.dev.microsoft.com
Checked for all Delegated and Application authorizations
Got access token without a user based on OAuth Client Credentials Grant flow
Asked for Admin Consent with access token retrieved from point 3. and it was successful using https://login.microsoftonline.com/tenant/adminconsent?client_id=xxx&state=12345&redirect_uri=http://localhost:8081
POST to /beta/schemaExtensions with access token retrieved from point 3. and I have this error:
Authorization_RequestDenied - Insufficient privileges to complete the operation
So here are my questions, hoping someone could help me:
How do I check if delegate authorization is ok after Admin Consent request?
Which privileges are missing to use schemaExtensions?
My app should work without a user, it's the preferred approach.
Couple of things here.
Extensions is GA and available on the /v1.0 version. Please use that instead of /beta.
We don't support schema extension registration using application permissions. It requires the Directory.AccessAsUser.All permission today (we're also investigating if there's another less privileged permission we can use here) per the create schema extensions topic.
Registering a schema extension can be a separate process from your application actually using the extension to create custom data on target object instances.
As such we are making a change (should be available shortly) to allow you to register and manage schema extensions for your app using Graph Explorer. There is also a user voice request to have a UI experience in app registration for schema registration/management. Please vote for this if it's important to you.
I'll update this post once Graph Explorer supports registering and managing schema extensions.
Hope this helps,
To answer the follow up question, the calling user should have read/write access to add custom data to another user. However, you can use open extensions to add custom data using /me/extensions to calling user (as long as the app has user.readwrite or higher permissions).