My app has the following scopes:
- app_mentions:read
- channels:history
- channels:join
- channels:manage
- channels:read
- chat:write
- chat:write.public
- commands
- groups:write
- pins:read
- reactions:write
- users:read
- users:read.email
However, when calling conversations.create I get restricted_action.
Our team channel has the following setting: People who can create public channels: "Workspace admins and owners only"
Is there anything we can do to enable the bot user to create public channels, but maintain this setting?
Unfortunately no. Bot users can not create channels while those settings are enabled. It's also not possible to make bot users (xoxb) admins. If you're an admin or are able to authenticate your app with a admin's token than you could use that xoxp token to create a channel.
Related
We have a published app in the Teams App Store.
We want to let the bot to have access to Teams Files. This is possible using Graph Application Permissions.
But there's a small problem, the "Files.Read.All" and "Files.ReadWrite.All" seems like overkill to our clients and they are not going to let us access all SharePoint resources just to upload a file into Teams Directory.
Resource-specific consent looks like a solution for our purposes.
However, after checking the documentation and samples we've found out that there are no "Files.ReadWrite.Group" and "Sites.ReadWrite.Group" resource-specific consent permissions.
Despite that, we tried to add them but got an error during the app installation process.
When we're requesting the channel information from graph api using resource-specific consent permissions we get:
{
...
"filesFolderWebUrl": "https://example.sharepoint.com/sites/RSC/Shared Documents/General",
...
}
If we try to request GET {filesFolderWebUrl} with auth token we get 401 UNAUTHORIZED.
We also tried to use https://example.sharepoint.com/_api/ and it fails with:
{
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
The GET https://graph.microsoft.com/beta/sites/ request returns blank response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
"value": []
}
Is there a way to get access to Teams Files using resource-specific consent? Any help would be appreciated.
As an alternative to RSC you could use SharePoint Site collection Level Permission
aka "The SharePoint flavour of RSC"
using the ``Sites.Selected` Graph permission.
This will allow a Customer Admin to grant your app/bot access to specific SharePoint SiteCollections.
While this does not give the 'automagical' permissions when a Teams App is installed in a team, it will allow you to use App Permissions with a scope that is both controllable, and smaller than 'entire tenant'
See:
PG Blog Bost & Demo:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Blogpost with samples : https://dev.to/svarukala/use-microsoft-graph-to-set-granular-permissions-to-sharepoint-online-sites-for-azure-ad-application-4l12
Create Site Permission: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
Team (group) resource-specific consent doesn't currently support access to the team's files.
There are some new graph scopes (preview) you could try:
Files.Read.Selected - allows read access to files user can select.
Files.ReadWrite.Selected - allows read/write access to files user can select
Files.ReadWrite.AppFolder - allows access to files in the "app folder". This one looks promising in your case.
These are new, and in "preview" state at the moment of writing, but already available for the apps. Disclaimer: I have not tried them myself yet, just discovered recently.
I'm currently trying implement an app to read calendars only for a group that's permitted to the app. The idea behind this is that when I want to add a another calendar all I'd have to do is add the object to a specific o365 group. I'm taking the application approach over delegation that way I don't have anything actually logging in to utilize the app. Ultimately I'd like to stay away from any of the *.All permissions for security reasons.
Steps taken :
- created o365 group
- added resource objects and one user service account (just for testing) to the group
- registered app
- generated secret
- assigned group to the app
- granted admin consent to groups.selected via the azure portal
When I run a GET for group/{id}/members :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'request-id': '473410a8-4db4-49d6-8d2c-92b9fbd4edb1', 'date': '2020-03-05T14:59:28'}}}
As per the docs
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
If you are using Application permissions to Get Members for a group. you will need User.Read.All, Group.Read.All, Directory.Read.All.
The usual issue is not granting that permissions to the application in Portal.azure.com and admin consenting it.
If you're confident with that. Then I'd eliminate your code as being the issue by using something like postman with your app id and client secret. We have a sample Postman collection here https://learn.microsoft.com/en-us/graph/use-postman . for delegated permissions you can use our Graph Explorer playground.
MS docs says:
Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change.
https://learn.microsoft.com/en-us/graph/permissions-reference
I have registered my app at https://developer.yahoo.com/apps/BY4faaaa/
How can i grant scope for yahoo mail reading?
How can I enable mail-r scope since it is not being shown in the dashboard?
In this screenshot, are yahoo's [email scopes], but I can't see the one which grants permission to read emails of the authenticated user (https://developer.yahoo.com/oauth2/guide/yahoo_scopes/)
mail-r / mail-w are the correct scopes. I can confirm as I got it working.
I'll tell you Yahoo's dirty little secret: they hardcode a whitelist of acceptable applications. If your app is not in their list, you won't be able to access mail scopes.
Unless, of course, you use the "secret" key from some other open-source app. Until they break it again, of course.
I think you'll be better off telling your clients to switch to a sane mail provider.
You can either transmit in the request body using POST or as part of the query string with GET.
eg: https://api.login.yahoo.com/oauth2/request_auth?client_id=lotsofletters&response_type=code&redirect_uri=https://yahoo.com&scope=openid%20mail-r
Also see: https://developer.yahoo.com/oauth2/guide/openid_connect/getting_started.html#getting-started-setup
You cannot enable access to those scopes by yourself.
Scopes like:
mail-r (read only), mail-w (read+write) - IMAP (maybe also POP)
sdct-r (read only), sdct-w (read+write) - CardDAV
ycal-r (read only), ycal-w (read+write) - CalDAV
Those scopes are restricted so you have to request developer access from Yahoo. The only scopes which you have access to without the authorization from Yahoo are openid, email and profile.
More information on requesting developer access to restricted scopes:
https://senders.yahooinc.com/developer/developer-access/
Developer access request form:
https://senders.yahooinc.com/developer/developer-access-mail-form/
I'm wondering if we just found a bug in the MS Graph API. I'm trying to access a different user's inbox mail rules via MS Graph. Here's what I did:
1.) Registered an application on the V1 Azure AD Endpoint, with ALL delegated permissions (including MailBoxSettings.Read and MailBoxSettings.ReadWrite)
2.) Granted access to the application using a global admin account
3.) Got a Graph Bearer Token for the tenant & proper permissions:
4.) Delegated mailbox access (full access) to my Global Admin account in Exchange Online settings:
5.) Verified that I have access to the users inbox via Graph:
6.) Attempting to list messagerules for this user fails:
Note that retrieving the current (global admin) user's mail rules works without an issue:
GET /https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messageRules
This tells me that there is probably a bug in MS Graph - or am I maybe missing something?
Thanks in advance
Ben
I have tried this, and I have get the same error. As my understand, we can not get the other's email rules. If you want to use this case, we can submit this issue on the github Issue
To read other users emaill inbox you need Application Type permission set rather than Delegated access.
Follow this link
https://learn.microsoft.com/en-us/graph/auth-v2-service
I am attempting to write a service to take an action when a calendar event occurs. ie Appoint due in 15 min warning. Multiple users will need to be able to register with the service. I think Subscriptions are the what I need, although what "ChageType" to use to get an alert, I have not gotten to yet. Right now I get "Exchange Online resources are not supported for MSA requests." when I try to use this code. I am working against an outlook.com account.
GraphServiceClient graphClient = SDKHelper.GetAuthenticatedClient();
var subscription = new Microsoft.Graph.Subscription();
subscription.ChangeType = "updated";
subscription.ExpirationDateTime = System.DateTime.UtcNow.AddDays(1);
subscription.ClientState = System.Guid.NewGuid().ToString();
subscription.NotificationUrl = "https://mywebhook.azurewebsites.net/api/send/myNotifyClient"; // must be valid and able to verify?
subscription.Resource = "me/events";
var newsub = await graphClient.Subscriptions
.Request().AddAsync(subscription);
Subscriptions to Outlook.com ARE supported by the nugget package: Microsoft.Office365.OutlookServices-V2.0
that wraps the Outlook365 API.
https://msdn.microsoft.com/en-us/office/office365/api/notify-rest-operations
I got it working -- sort of using:
https://github.com/jasonjoh/dotnet-tutorial
combined with:
aspnet-webhooks-rest-sample
So far I can create a subscription using an MVC App and capture User Info + Client State; at the webhook I can capture client state and subscription id along with a Change Type and Resource ID:
https://outlook.office.com/api/v2.0/Users('0003bffd-a898-60b1-0000-000000000000#84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa')/Messages('AQMkADAwATNiZmYAZC1hODk4LTYwYjEtMDACLTAwCgBGAAADhL94GyFZe0WMH6_2kacBNAcAVYqcEoTpoEy-bsETzU244wAAAgEKAAAAVYqcEoTpoEy-bsETzU244wAAAFP_o9AAAAA=')
Unfortunately, no information about the "item" is provided.
Update: using info from MVC 5 application - implement OAuth Authorization code flow I am able to get "Authorization Code Flow" working - still need to figure out how to Authenticate OWIN (so the MVC app has a Logon Identity) using an access_token.
It is currently not supported to use MS accounts for subscriptions on several resources. Instead the mailbox must use a "work or school" account.
See https://stackoverflow.com/a/41026203/270142 for further details.