Is it possible to create a ToDo-Task for other users using a single Admin login?
I have registered an app, and set "API permissions" for Tasks.Read, Tasks.ReadWrite, User.Read.All
I have two users. An admin user, and a test user.
I acquire an access_token for the admin user:
Using the admin's access token as Auth Header "Bearer {{token}}", I can read the test user's profile with GET https://graph.microsoft.com/v1.0/users/testuser#mycompany.onmicrosoft.com
I can successfully create a ToDo-Task for the test user using the test user's access token.
I can successfully create a ToDo-Task for the admin user using the admin user's access token.
However, if I try to create a ToDo-Task for the test user with the admin's access token, I receive this error message ({{ListID}} = List-ID of the test user):
{
"error": {
"code": "invalidRequest",
"message": "Invalid request",
"innerError": {
"code": "ErrorIncorrectRoutingHint",
"date": "2022-07-28T07:49:25",
"request-id": "#######-####-####-####-############",
"client-request-id": "########-####-####-####-############"
}
}
}
What you need is application permission, however, Graph ToDo tasks API is not yet supported.
For more information, check document:https://learn.microsoft.com/en-us/graph/api/resources/todo-overview?view=graph-rest-1.0
Related
I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All
I followed this document https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-1.0&tabs=http
I can successful request the list api after add permission "
Directory.Read.All" to the application, while the create api returns an error
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-11-15T08:54:50",
"request-id": "46986851-590c-4687-b909-918e9d233f07",
"client-request-id": "46986851-590c-4687-b909-918e9d233f07"
}
}
is there any other permission required or some additional operations needed?
This is expected as the Create requests requires Directory.ReadWrite.All. You app seems to have only Directory.Read.All which is not enough for doing objects writes.
Trying adding Directory.ReadWrite.All to your app and trying again. Make sure it is granted by admin on Azure AD portal.
I have created a test application which is requesting adminconsent from a MS teams admin with the following scopes :
openid offline_access channelmessage.read.group channelmessage.read.all chat.read chat.readbasic chat.readwrite user.read.all channel.readbasic.all directory.read.all group.read.all groupmember.read.all organization.read.all people.read.all presence.read.all team.readbasic.all
I am using an application token to fetch ms teams organization data like users, channels, teams etc. I have managed to fetch with Graph API the user, channel, teams data of an organization,
but when I tried to fetch messages
with
https://graph.microsoft.com/v1.0/teams/team_id/channels/channel_id/messages
I am getting the following error:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-03-03T22:23:47",
"request-id": "a279044a-ab9e-4c18-af71-5a65ea7cee86",
"client-request-id": "a279044a-ab9e-4c18-af71-5a65ea7cee86"
}
}
}
When you are using application permissions you need to you must request access.For details, see Protected APIs in Microsoft Teams.
I created an app on https://apps.dev.microsoft.com
with the following Application Permissions:
Calendars.Read (Admin Only) Calendars.ReadWrite (Admin Only) User.Read.All (Admin Only)
Admin Consent
Admin consent was then successfully granted via this URL
https://login.microsoftonline.com/strixtechnology.onmicrosoft.com/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
Get access token
An access token was then obtained from
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
with headers
Content-Type=application/x-www-form-urlencoded
and body with key-value pairs
grant_type=client_credentials
client_id=bbb35336-faee-4c10-84b4-34136634db41
client_secret=xxx
scope=https://graph.microsoft.com/.default
This returns an access token.
Subscribe to notifications
Using that access token, I then try to subscribe to the events on a certain resource mailbox:
POST https://graph.microsoft.com/beta/subscriptions
with headers
Content-Type=application/json
Authorization=Bearer <access_token_here>
and body
{
"changeType": "created,updated,deleted",
"notificationUrl": "https://dashmeetings.com/microsoft/notify",
"resource": "users/mahogany#strixtechnology.com/events",
"expirationDateTime":"2017-12-01T11:00:00.0000000Z",
"clientState":"1234"
}
This returns a 401 Unauthorized with
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Unauthorized; Reason: Unauthorized]",
"innerError": {
"request-id": "98ce5e5e-1ce4-4417-8c35-456a3cc0e696",
"date": "2017-11-30T10:59:28"
}
}
}
This question seems similar to “Resource not found for the segment” using Graph subscription beta, but I follow the same steps without any luck
The admin consent URL had to be
https://login.microsoftonline.com/common/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
and the access token address:
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
I'm trying to send an email message using the Microsoft Graph REST API. My application is a service/daemon application where I am sending email on a user's behalf.
I am successfully able to obtain a token and obtain the user object such that I have the user's id, but when I try to use the sendMail API (POST /users/{user id}/sendMail) I receive the following error response:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"request-id": "a911ead2-840d-4bfe-9a77-bc5000c1b749",
"date": "2017-01-03T13:33:24"
}
}
}
I also tried to first create the message as a draft using POST /users/{user id}/messages but that also returns the exact same error. My application permissions include both Mail.ReadWrite and Mail.Send.