How to fetch lists of groups and send message to group using API from Microsoft personal account.Can you please provide me some suggestions or doc for above query.
Groups don't exist in Microsoft Personal Accounts context because there is just on personal account. That is why every endpoint in Groups Resource says not supported for Delegated (personal Microsoft account).
If you are trying to send an email to a group from a personal Microsoft account or a work account, you can do that using Send Mail with the groups alias in you toRecipients or ccRecipients in which case the groups till exists in a tenant that you cant access unless you are a guest user there with your personal account.
Related
I have an App. registered as multi-tenant in azure, configured to allow access to users from other tenants including personal accounts etc..
But it fails when I tried to send using an external personal account. However it is working fine on the tenant members.
My question is, is it required for an external user to have an Exchange License to send email using the Graph API via my app?
If I'm sending using the application scope sendMail, does the user I used to send the email from needs to have a valid exhange license?
Thanks!
I need some experienced opinions or links to a helpful articles about my issue.
Yes, the user you are using to send the email using application permission must have a valid Exchange license.
Also, user has to be part of your tenant while using the application permission otherwise it will just throw 404 not found
Yes, user should be licensed. And to be accessed with personal accounts your application should be registered with audience as "Accounts in any organizational directory and personal Microsoft accounts" https://learn.microsoft.com/en-us/graph/auth-register-app-v2
I try to retrieve a list of all contacts that are added to our microsoft 365 admin, I login in the graph explorer with the account that has access to the admin center and grant permission to read contacts but still get this error:
The mailbox is either inactive, soft-deleted, or is hosted on-premise
Why is that?
Looks like you don't have valid M365 license assigned. You are getting this error because no Exchange Online mailbox is available to use for the azure ad user who do not have a valid M365 license. Please note that Exchange Online mailbox and outlook calendars will only be available/created for the users with a valid M365 license.
you can check the link, if you have valid subscription - https://outlook.office.com/mail
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
My current application supports Microsoft and Google oAuth verification sign in. The idea is to give users the option of signing in with their personal accounts for ease of access. This is working fine with google, but AAD will only allow users with emails that end in the App ID URI domain to sign in
eg: App Id URI = someOrg.com/guid and their sign in = someUser#someOrg.com.
Attempting to sign in with a Microsoft account like an outlook or hotmail account redirects to a page saying
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
Is there a way to allow AAD to accept any Microsoft account in the login, or can it only accept users in a single domain?
Basics
Yes! Checkout https://aka.ms/aadv2. The v2 endpoint allows both personal Microsoft and Azure AD accounts to be signed in from a single app reg. You'll need to hit this special endpoint (can be done using the MSAL libraries) and setting your app audience in the Azure portal.
Details...
By default and using the following URLs (note the common piece):
https://login.microsoftonline.com/common/v2.0/authorize
https://login.microsoftonline.com/common/v2.0/token
If set to common, your app can sign in any domain and personal Microsoft accounts.
Other options
For the sake of covering everything, here's the other options:
common->organizations: Only allow Azure AD accounts
common->consumers: Only allow personal Microsoft accounts
common->[tenant_id]: Only allow accounts from the specified tenant
MSA as a guest
The edge case you may need to address is a personal Microsoft account added as a guest to an Azure AD tenant. When the user hits common, they'll be signed in as a personal Microsoft account; however, they may intend to sign into their domain. You can build around this by introducing a "enter your email" screen, then passing this as a hint to Microsoft via the common endpoint.
I'm trying to create Planner Plan using Microsoft Graph API. As documented it requires groupId. I also create Group, but when i create a Planner plan using Graph Explore it returns a 403 with the message
"You do not have the required permissions to access this item, or the item may not exist."
I'm aware that in order to create a plan, It required Group.ReadWrite.All permission on Delegated (work or school account). I granted these in the Azure Portal but still get same error.
One thing is I don't know how to determine if my account is a "work or school account". My account was created by the admin of my tenant and it uses the of my organization so I guest it is Work account.
What do I have wrong here, do I need another API to assign plan to group before create?
EDIT1:
Here is the request body when i'm create a Planner Group, I'm also tried to toggle "securityEnabled" to true but it still fail when create a plan
And Here is the Request body when I create Planner Plan
EDIT2:
I also tried to update Planner plan by this API and it still failed. It seems Group.ReadWrite.All permissions does not apply to my account
Your request is failing because you are not a member of the group in which you are trying to create a plan. Changing group content requires the calling user to be a member. Owners of the group currently cannot edit the Planner content in the group, unless they are also members.
Although you have requested Group.ReadWrite.All, you cannot authorize this permission until you have received "Consent" from an Administrator.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about he Consent Framework in Integrating applications with Azure Active Directory.