I followed this document https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-1.0&tabs=http
I can successful request the list api after add permission "
Directory.Read.All" to the application, while the create api returns an error
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2021-11-15T08:54:50",
"request-id": "46986851-590c-4687-b909-918e9d233f07",
"client-request-id": "46986851-590c-4687-b909-918e9d233f07"
}
}
is there any other permission required or some additional operations needed?
This is expected as the Create requests requires Directory.ReadWrite.All. You app seems to have only Directory.Read.All which is not enough for doing objects writes.
Trying adding Directory.ReadWrite.All to your app and trying again. Make sure it is granted by admin on Azure AD portal.
Related
I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All
The GetChat API (https://graph.microsoft.com/v1.0/chats/{chatid}) from Microsoft Graph returns error 403 (Forbidden) for some chats when using application permissions. The application being used has Chat.Read.All permissions with admin consent granted. Also, the same application returns success for other chats.
Following are errors for couple of requests to get chat, that were tried using Postman:
1:
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2021-10-18T13:16:26",
"request-id": "79c2ca6f-5b85-44ed-a3da-ef3607630a41",
"client-request-id": "79c2ca6f-5b85-44ed-a3da-ef3607630a41"
}
}
}
2:
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2021-10-18T13:18:37",
"request-id": "5cfd4f22-8c25-4ecf-aa88-0c0c3df560d4",
"client-request-id": "5cfd4f22-8c25-4ecf-aa88-0c0c3df560d4"
}
}
}
You could try couple of things here -
Try the same API call in Graph explorer and observe if you still see this error. This will help in identifying if there is any issue with the token that you have generated.
You may have changed your API permissions after giving your application admin consent. When you give admin consent, Azure AD will take a "snapshot" of the permissions at the time of consent. Then if you change the permissions later, you will need to re-do the admin consent process again.
Personal accounts are not supported. Refer permissions here.
I am able to read channel messages as long as I am a member of a particular channel but I am unable to read channel messages in which I am not a member but I am a global administrator with following delegated permissions.Can anybody help?
ChannelMessage.Read.All, Group.Read.All, Group.ReadWrite.All
When I am trying to execute I am getting the following response
{
"error": {
"code": "Forbidden",
"message": "Forbidden",
"innerError": {
"date": "2020-09-10T04:37:36",
"request-id": "727d898d-ee3e-484d-b2b6-46582834ca9c",
"client-request-id": "727d898d-ee3e-484d-b2b6-46582834ca9c"
}
}
}
You'll need to use Application rather than Delegated permissions for this. When you're using Delegated permissions, you can only access Channels you are a member of (i.e. the same Channels you see in the Teams app).
Note that these are Protected APIs, so you'll need to request access before you can use them (above and beyond the normal Admin Consent flow).
According to msdocs it should be sufficient to have the "GroupMember.ReadWrite.All" application level permissions to add members to a security group
I get an authorization error (see below) - it works as expected if I grant the "Group.ReadWrite.All" permissions
Did I miss something obvious here?
Language is PowerShell - connected to the Graph API v1.0 with the "client_credentials" grant type
Error message:
Invoke-RestMethod : {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "71b06588-f9a2-48ef-ac3f-5223899cad68",
"date": "2020-01-03T09:30:31"
}
}
}
Add member endpoint documentation states that for Application permission type one the following permissions are required:
GroupMember.ReadWrite.All, Group.ReadWrite.All and
Directory.ReadWrite.All
But, it appears, it also varies based on group type:
for Office365 group, one of the following permissions are
sufficient: GroupMember.ReadWrite.All or Group.ReadWrite.All
while for Security group, along with GroupMember.ReadWrite.All permission, Directory.ReadWrite.All needs to be specified as well
So, the solution would be to specify permission Directory.ReadWrite.All along with GroupMember.ReadWrite.All
At this moment I'm working with the personal contacts. But I want to expirment with the Organizational contacts but when I try to do a request to https://graph.microsoft.com/beta/contacts I got this response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "882e70df-d89c-4d9a-a028-cd3ad2e497cb",
"date": "2016-04-13T09:14:21"
}
}
I suspect that I'm missing a persmission scope but the documentation isn't showing any requiered scopes(created a issue for that https://github.com/OfficeDev/microsoft-graph-docs/issues/24.) Does anyone else has expirence with the Organizational contacts
The scope that's needed at present is Directory.Read.All. We are still working out what scope will be required when we move from beta to v1.0.