Required: MS Graph App that has access to companyB.sharepoint.com drive/file items for a member of CompanyA
I am from Company/Organisation A. I have been granted access to a sharepoint site of Company/Orgtanisation B.
https://companyB.sharepoint.com/sites/company_name/XXXX%20Files/Forms/AllItems.aspx
Via a browser this works as expected (i.e. access to the sharepoint site)
I have created a Multi-Tenant App (Azure dev portal) and have been able to receive a user delegated access token. refresh token works fine.
The App (Overview) => Supported Account types: Multiple organisations.
Using the Graph Explorer (Authenticated for company A user) https://developer.microsoft.com/en-us/graph/graph-explorer
https://graph.microsoft.com/v1.0/sites/companyB.sharepoint.com:/sites
returns
{
"error": {
"code": "invalidRequest",
"message": "Invalid hostname for this tenancy",
"innerError": {
"date": "2022-04-12T04:36:00",
"request-id": "qqq21a6d3-xxx-xxx-xxx-xxx390a4yyy",
"client-request-id": "qqq382fa-xxx-xxx-xxx-xxx708yyy"
}
}
}
What I'm trying to achieve is to get access to and obtain a list of files contained in the Sharepoint site under CompanyB. Then being able to walk through the files, add/edit/delete files to these directories (or whatever terminology MS uses for Sites and Files/Folders within a site)
I cannot seem to find the 'SiteID' or 'DriveId' that the URL references point to...
Would it be feasible to create an APP under Company B (ie create a dev account for them) and create a simpler, non verified, organisation only app under company B and then login as a user from Company A?
Any pointers of examples of anyone that has done this is appreciated.
Related
We are trying to identify Sharepoint sites user has access to using Graph API. This is working just fine for internal users. However when we try this for external user (already guested in Azure AD), we are getting below error -
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2022-06-20T16:28:01",
"request-id": "cde68280-5538-40c3-af60-6602bd7c1214",
"client-request-id": "ef1f7a56-caf4-e1f2-b2b0-57577fa96f03"
}
}
We have tried to use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer and it's the same error there as well.
if you are using the /common endpoint a guest user has its own shadow tenant and wont be pointing to the AAD tenant it has been invited into, thus they cannot access resources like a normal member could, plus they have limitied default permissions and that does not include groups/site access unless they have been added to the area as a direct member.
However, if you are defining the tenant id in the authority then the above is not relevent.
You are right, I tried to do the same thing.
My workaround solution is testing with MS Graph Explorer, its worked for me, then you can code the same requests to talk to Graph API. Here are the steps:
Get your tenant Id using this site : https://www.whatismytenantid.com/
Open MS Graph Explorer like this : https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantId
Sign in to MS Graph Explorer with the guess account
You should see the name of your guess signed in with your tenant if not sign out and sign in again.
Unfortunately, You won't be able to lists the SharePoint Sites using https://graph.microsoft.com/v1.0/sites?search=* (honestly I do not know why, maybe because the guest has only a Family account ? Its worked fine with a user in the same org.
You need to know the siteId, then you can list the document libraries, folders, files, etc... using a request like this : https://graph.microsoft.com/v1.0/sites/siteId/drives
I wish I can get the siteId from MS Graph Explorer for a guest user, but looks like it is not possible. BTW, doing the same on Google WorkSpace is a no brainer using shared drives, not like Microsoft at all...
I am setting up microsoft graph auth and API calls for the firs time in a new app.
i can successfully authenticate a user, return access and refresh tokens, then make the first call to get my profile info.
I can even make this call as the app and not a 'user'.
where i am running into issues is making calls to get my calendar by adding /calendars to the end of my profile call. when I do this I get this error:
{
"error": {
"code": "OrganizationFromTenantGuidNotFound",
"message": "The tenant for tenant guid '1dd120fe-cbd9-492b-b36d-12e4aa856cf3' does not exist.",
"innerError ": {
"oAuthEventOperationId ": " ae00f89a - 1 d34 - 4299 - af82 - 93 d5c0409ada ",
" oAuthEventcV ": " mJu0K0YLfbqLxFewMqMcug .1 .1 ",
"errorUrl ": "https: //aka.ms/autherrors#error-InvalidTenant",
"requestId": "ae055090-cad5-4b0f-ad7b-9c0731c75bd4",
"date": "2021-09-15T16:18:10"
}
}
}
as a note, I get the same error when making the call as either the user whose calendar I am requesting or as the application.
in the application I do have the permissions set like this
and for reference, here is the URL I am calling that works
https://graph.microsoft.com/v1.0/users/d4d0b2ef-6a3b-4254-b8bb-eb358194458b
and the one that does not
https://graph.microsoft.com/v1.0/users/d4d0b2ef-6a3b-4254-b8bb-eb358194458b/calendars
here is a video demonstrating the issue and granted permissions.
https://vimeo.com/605796641
It could be because Azure AD you created does not have Office 365. Thus it cannot have calendars. /users works because that is an Azure AD endpoint.
If you want to access calendars for your development O365 tenant, register the app in your O365 AAD tenant that you got when you created the development tenant
Follow the steps below -
You need a Microsoft office 365 account with a subscription, can get this by applying for one on office 365 develop.
Upon creating one, follow the instructions and add the apps to it.
Go to Azure Portal and log in with your office 365 account.
Create an app under AAD -> App registration
Try to access https://graph.microsoft.com/v1.0/users/{user_id}/calendars.
We have created a WP that we have published to Teams that would give owners the possibility to modify the external sharing setting ("AllowToAddGuests") from a tab in their Teams.
We are experiencing a problem when we try to do the set of AllowToAddGuests using an owner account.
The Teams app has :
{
"resource": "Microsoft Graph",
"scope": "Directory.ReadWrite.All"
}
As per MS Graph docs
https://learn.microsoft.com/en-us/graph/api/directorysetting-update?view=graph-rest-beta&tabs=http
should work fine with delegated.
If I execute the graph call in the graph explorer using the owner user it gives the same access error.
All permissions are granted at admin level.
If a global admin is used, then all works fine.
The error I am receiving is the following:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-07-02T15:18:56",
"request-id": "84fe9be9-a4b0-4023-93e6-68dd780ce2ea"
}
}
}
Has the owner the possibility to change the flag AllowToAddGuests or should I do this via an App reg?
Thanks for the answers.
Alex
I am posting this here so that if anybody looks for the same information, they have it here.
At the time of this writing, the answer we got from Microsoft is that for this call to work, the user performing the call (in our case one of the owners) needs to also be a Group Administrator. For our use case this was not doable as any user in the company can potentially be an owner of a MS Teams.
The solution we have chosen is to use application permission with Directory.ReadWrite.All to perform the call. This works as expected now.
Microsoft has also promised they will update the documentation in order to include the current information.
I'm having problem with the youtube partner api.
I have written an application that correctly establishes an oauth connection between myself and previously authorised Content Manager page and can view my associated channels, create and manage assets etc.
I have a colleague from a different organisation with a separate content manager account that manages around 20 separate channels. They can use the app to successfully complete the oauth flow. However when we try and iterate their channel listings they receive the following error:
Google_Service_Exception: { "error": { "errors": [ { "domain": "youtube.common", "reason": "cmsUserAccountNotFound", "message": "The CMS user is not allowed to act on behalf of the specified content owner." } ], "code": 403, "message": "The CMS user is not allowed to act on behalf of the specified content owner." }
If they add my account as an administrator of the Content Manager account, I can however see their pages. They have permission to manage all pages under the account (and are the administrator)
My question is:
Is this because they don't have permission to use the API (although they have authorised the App that has requested permissions)?
If we create a service account and add it to their Content Manager account and change the oauth flow to this, will this resolve the issue?
...Or is there something else I'm missing?
Many thanks in advance for advice.
When accessing the joined Teams of a user(user is registered as a guest in AAD). The Microsoft Teams Graph API(Joined team) is returning an empty result. So it would be great if any feedback/help on it is available.
What is achieved till now
Able to generate the access token using secret key approach by using the admin app registration. all the request are sent using Postman
Able to fetch all user(registered guests in AAD) of AAD using the access token.
Note: I have added the guest users in newly created directory, as I want to keep the users in a separate directory for B2B implementation.
Actual results
Here is the request of Joined team api. Here 8848b4c4-c89f-4d21-95e8-c19fa9024786 is the Id of user.
Request:
https://graph.microsoft.com/beta/users/8848b4c4-c89f-4d21-95e8-c19fa9024786/joinedTeams
Response :
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#groups",
"value": []
}
Expected Result
Should be able to get the list of joined teams using this API