So I would like to prevent the usage of delegated user authentication flow but still want to use the findMeetingTimes endpoint. But it doesn't seem available for client credential flow, right?
I simply tried to post on this endpoint:
https://graph.microsoft.com/v1.0/findMeetingTimes
But it seems like it doesn't exist. Wrror response message:
"message": "Resource not found for the segment 'findMeetingTimes'."
Is there any workaround for using it with the application flow?
According to the documentation findMeetingTimes is not supported for Application permission type
Resources:
findMeetingTimes
Related
Hi I am trying to access the microsoft graph endpoint https://graph.microsoft.com/v1.0/me/contacts but I receive a 404.
** ISSUES IT SHOULDN'T BE **
it should not be the problem with the exchange mailbox, since it works for the user in the explorer
it's not the code, since the token from the graph explorer works in the code
both tokens seems to have the same permissions
The image below is a picture of the decoded accesstoken, one is from the graph explorer and one is a token received from my own Oauth flow (auth code grant), they are trying to access the same users contacts.
Anyone know what I am doing wrong?
To access the https://graph.microsoft.com/v1.0/me/contacts, I think "Contacts.ReadWrite" permission is also required which is missing in the scopes of the above image. Can you please check the permissions here:https://learn.microsoft.com/en-us/graph/api/user-list-contacts?view=graph-rest-1.0&tabs=http#permissions.
Hope this resolves the issue. If not please share Client request id and timestamp of the query.
My company is using Microsoft 365 Business Standard licenses. We are using email through these accounts. We also have a few shared mailboxes. We are trying to create an app that uses the microsoft graph application permissions (rather than the delegated permissions) so the application can access one of the shared mailboxes without needing to be authenticated under the current user.
This is the steps we have taken so far:
Within Microsoft Azure, we have an application in which we have granted application api permissions for Mail.Read, and we have accepted Admin consent.
We authorized as an app, not as a user, in the application using this endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, pointing out the required parameters for sending a request. Then, MS API builds this link:
https://login.microsoftonline.com/{some_string}/oauth2/v2.0/authorize?state={some_string}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&redirect_uri=http%3A%2F%2Flocalhost&client_id={some_string}
When we follow the link, we get to the standard authorization form on the site. After we log in, a link is created, where we take the code and create the token: http://localhost/?code={some_string}&state={some_string}&session_state={some_string}
When we try to hit this endpoint: https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages, we get this response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2020-09-14T11:22:30",
"request-id": "{some_string}",
"client-request-id": "{some_string}"
}
}
}
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Any help or direction on what needs to be done to make this query work would be greatly appreciated. Thank you!
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Yes you would need to send the AccessToken in the Authorization header, you should also include the x-anchormailbox header which helps route the request to correct mailbox eg
GET https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
X-AnchorMailbox: sharedmailbox#domain.com
The other thing you might want to check is to ensure you have the correct scopes in your token you can use https://jwt.io/ for that
In order to use application permissions you will need to use the client credentials auth flow (not the authorization code auth flow which uses delegated permissions). To get a token make a request against "/oauth2/v2.0/token" and specify "grant_type=client_credentials" in the request. See examples of client credentials auth flow here for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
I have a Logic App that is calling the Graph API to create lots of O365 Groups. For the creation, I am using Application permissions with a registered Azure app which works great.
However, I am now trying to hide O365 groups from the GAL.
I need to set these parameters:
{
"hideFromAddressLists": true,
"hideFromOutlookClients": true
}
I am having the same issue described here. But I can't figure out how to call the Graph API on behalf of a user, with Delegated permissions. I've tried setting up an Azure Managed Identity and setting it's permissions as per these instructions, but I am getting error:
"code": "ErrorGroupsAccessDenied"
"message": "User does not have permissions to execute this action.",
Can anyone help?
These are the App permissions I have set, but I am still getting "ErrorGroupsAccessDenied" "User does not have permissions to execute this action."
As your mentioned it requires to be called with delegated permission, so you can't get the access token just by MSI. According to the page you provided about MSI, it seems just use the service principal to verify the permissions. It still use application permission but not delegated permission. So please refer to the steps below to get the access token and then request the graph api.
1. Create an "HTTP" action to get the access token(we need to use username/password grant flow in this http request).
2. Use "Parse JSON" action to parse the response data from the HTTP action above.
3. Request the graph api to update the group(with the access token from "Parse JSON" action).
Please notice there is a space between "Bearer" and "access_token".
I am trying to use Microsoft Graph API in Power Automate where I make calls out to perform some actions. I have been successful with all Graph calls up to this one where I get a 503 serviceNotAvailable error.
The call I am trying is below
GET https://graph.microsoft.com/v1.0/groups/b40e54ac-5626-xxxx-xxxx-xxxxxxxxxxxx/drive/root:/filepath.docx
If I paste this directly into Graph Explorer on the Graph API site it works fine so I am happy that the call is syntactically correct.
I can't get the call to work through Power Automate. I also have tried this through Postman and am getting the same 503 error.
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "87725851-77fb-xxxx-xxxx-xxxxxxxxxxxx",
"date": "2020-03-01T16:55:43"
}
}
}
Permissions in my app registration are
Directory.AccessAsUser.All
Directory.Read.All
Directory.Read.All
Directory.ReadWrite.All
Directory.ReadWrite.All
Files.Read.All
Files.ReadWrite.All
Group.Create
Group.Read.All
Group.ReadWrite.All
Group.Selected
Sites.FullControl.All
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
TeamsActivity.Read.All
TeamsActivity.Send
TeamsApp.Read.All
TeamsApp.ReadWrite.All
TeamsTab.Create
TeamsTab.Read.All
TeamsTab.ReadWrite.All
User.Read
User.ReadWrite.All
Am pulling my hair out ... and there's barely anything left!
If you remove "Group.Create" permission completely and test, it should work.
Seems it doesn't like "Group.Create" with "Group.ReadWrite.All"
If it works in Graph Explorer, but doesn't in Postman. That typically means that your access token in Postman is not correct.
Have you looked at the Postman collection I put together? It puts on rails fetching the access token based on your application id and secret. https://learn.microsoft.com/en-us/graph/use-postman
With regards to PowerAutomate. How are you entering the application id and secret for the the flow to get the application access token? We do have a tutorial here from start to finish to show the approach we recommend here https://learn.microsoft.com/en-us/graph/tutorials/flow
I am testing Get Chat Microsoft Graph API (which is still in Beta) and it seems to work successfully when it is called from Graph Explorer (which uses an user token), instead when I call this API from Postman with an application token, I get 401 Unauthorized with an Unknown Error as response.
https://graph.microsoft.com/beta/users/<user-id>/chats/<conversation-id>
My App Registration on Azure has these permissions:
And the decoded application token contains:
"aud": "https://graph.microsoft.com",
"roles": ["User.Read.All", "Chat.Read.All" ]
The same token it works for the Get User API
https://graph.microsoft.com/beta/users/<user-id>
Basically, it seems to have problems only the GET Chat API when called with an application token, although the documentation says it is supported. Am I missing something in the App Registration configuration?
EDIT
As I have already explained in the comments, this question doesn't help me, since:
audit is correct
permissions are present in the token and are granted by the admin in the App registration
scope is correct
Should I check something else?
Have you seen this message on the (English) documentation page?
Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.
It seems like Microsoft has implemented an extra layer of security for apps accessing "Teams" endpoints.