So I've been trying to get email addresses of people that have access to certain files in a Sharepoint document library of a site through the use of the Microsoft Graph API. Below is an example of how my permission object looks like, which is retrieved from https://graph.microsoft.com/v1.0/sites/<site id>/drives/<drive id>/items/<item id>/permissions.
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('...')/drives('...')/items('...')/permissions",
"value": [
{
"id": "...",
"roles": ["owner"],
"grantedTo": { "user": { "displayName": "testsite - Eigenaars" } },
"inheritedFrom": {}
},
{
"id": "...",
"roles": ["read"],
"grantedTo": { "user": {"displayName": "testsite - Bezoekers"} },
"inheritedFrom": {}
},
{
"id": "...",
"roles": ["write"],
"grantedTo": { "user": { "displayName": "testsite - Leden" } },
"inheritedFrom": {}
},
{
"id": "...",
"roles": [
"write"
],
"grantedToV2": {
"siteGroup": {
"displayName": "Developers",
"id": "120",
"loginName": "Developers"
}
},
"grantedTo": {
"user": {
"displayName": "Developers"
}
},
"inheritedFrom": {}
},
{
"id": "...",
"roles": ["owner"],
"grantedTo": {
"user": {
"email": "testsite#mysharepoint",
"id": "uuid",
"displayName": "testsite - Eigenaars"
}
},
"inheritedFrom": {}
}
]
}
I assume the testsite in the displayName property is a group name (probably the group that belongs to the site the file resides in), but I have seen cases where I can't find this group name in the groups retrieved from the /groups endpoint in the Graph API.
You can also see the group Developers, which I haven't managed to find in the full group list retrieved from /groups.
The documentation around this is quite vague and unclear to me. Somewhere I read that this lack of data could be due to authentication scopes, but I have "god mode" administrator rights in this Sharepoint environment, so that would seem strange to me.
My main goal is to be able to get all users that have access to a specific file.
Thanks in advance!
1. I assume the testsite in the displayName property is a group name, but I have seen cases where I can't find this group name in the groups retrieved from the /groups endpoint in the Graph API.
This is because as per Drive Item Permission >> Identity Set >> Identity resource type Quoting
The identity's display name. Note that this may not always be available or up to date. For example, if a user changes their display name, the API may show the new value in a future response, but the items associated with the user won't show up as having changed when using
This can explain why sometimes you don't see the group name in your groups.
I suggest you use the id.
2. My main goal is to be able to get all users that have access to a specific file.
Do you have any users that appear on the Has Access section of the drive item on sharepoint? For users you should be able to get permissions and use the ids to Get directoryObject using the id values from grantedToIdentitiesV2 or grantedToV2 which will return odate type.
GET https://graph.microsoft.com/v1.0/directoryObjects/{id}?$select=id
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)/$entity",
"#odata.type": "#microsoft.graph.group or user or application",
"id": "id"
}
For groups, the users would be the members of the group.
Related
We are getting the permissions of a driveItem using Microsoft Graph as documented here.
Each returned permission object usually contains a grantedTo field that has an IdentitySet as its value. But the issue with that is that each Identity is always a user:
"grantedTo": {
"user": {
"displayName": "data Owners",
"email": "data#example.onmicrosoft.com",
"id": "94c3e81b-f6fb-43c6-8df5-b98462ccf191"
}
}
"grantedTo": {
"user": {
"displayName": "Data Members"
}
}
This occurs even though those are Groups. So there's no way, using this data, to identify with certainty what is a Group and what is a User.
We want to avoid any additional request to do so as this can become quite inefficient.
Thus we are asking is there a way to identify if it is a group or user, without any additional API requests? For example some undocumented query parameters or relationships?
I'm afraid this isn't possible because the IdentitySet itself doesn't distinguish between Users and Groups:
{
"application": {"#odata.type": "microsoft.graph.identity"},
"device": {"#odata.type": "microsoft.graph.identity"},
"user": {"#odata.type": "microsoft.graph.identity"}
}
I am developing Azure DevOps extension which contain service endpoint to hold secret ID/KEY. My requirement is to have endpoint just consist of Connection name, ID ,and Key in it.I have gone trough list of provided endpoints in Microsoft but I couldn't find suitable option to satisfy my requirement.
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=vsts#sep-ssh
closest solution I found is as below . But it contains input box for server URL(Which I need to omit (in this example though I don't define server URL it displays in popup dialog)). Please refer below image.
Is it possible to remove Server URL from above dialog box Or it there better endpoint type I can use for this requirement? please be kind enough to share some light with me.
You'll need to create a custom service type, that will allow you to show/hide the individual text boxes. You can find an example in the Azure DevOps Extension Tasks which I maintain.
You define custom service endpoint types in the vss-extension.json along with your other extension points:
{
"id": "vsts-marketplace-endpoint-type",
"type": "ms.vss-endpoint.service-endpoint-type",
"targets": [
"ms.vss-endpoint.endpoint-types"
],
"properties": {
"name": "VstsMarketplacePublishing",
"displayName": "Visual Studio Marketplace",
"url": {
"displayName": "Marketplace URL",
"value": "https://marketplace.visualstudio.com",
"isVisible": "false"
},
"helpMarkDown": "Required permissions: <ul><li><b>Publish</b>: All accessible organisations, Marketplace (Publish)</li><li><b>Share</b>: All accessible organisations, Marketplace Publish</li><li><b>Install</b>: All accessible organisations or a specific organisation, Extensions (read and manage), Marketplace (acquire)</li><li><b>Query Version</b>: All accessible organisations, Marketplace (read)</li><li><b>Is Valid Extension</b>: All accessible organisations, Marketplace (read)</li></ul><br/><a href='https://www.visualstudio.com/docs/setup-admin/team-services/use-personal-access-tokens-to-authenticate'>More information</a>.",
"authenticationSchemes": [
{
"type": "ms.vss-endpoint.endpoint-auth-scheme-basic",
"inputDescriptors": [
{
"id": "username",
"name": "Username",
"description": "Username",
"inputMode": "textbox",
"isConfidential": false,
"validation": {
"isRequired": false,
"dataType": "string",
"maxLength": 300
},
"values": {
"inputId": "username",
"isDisabled": true,
"defaultValue": ""
}
},
{
"id": "password",
"name": "Personal access token",
"description": "Azure DevOps personal access token.",
"inputMode": "passwordbox",
"isConfidential": true,
"validation": {
"isRequired": true,
"dataType": "string",
"maxLength": 300
}
}
]
}
]
}
},
You may find other extensions that set or configure the authentication dialog on GitHub, there are quite a few. Useful docs are here in an old blog post.
I'm observing a change in functionality in Microsoft Graph. When requesting a list of drives from a SharePoint site, I used to see a driveItem attribute that no longer seems to be present as of Nov 14.
The site documentation mentions the relationship to the drives collection.
The drive documentation describes the driveType attribute as:
Describes the type of drive represented by this resource. OneDrive personal drives will return personal. OneDrive for Business will return business. SharePoint document libraries will return documentLibrary. Read-only.
Here is an example call:
https://graph.microsoft.com/v1.0/sites/{site-id}/drives
Response:
client-request-id →d822c749-baf6-4857-abd9-6d80f70823d9
request-id →d822c749-baf6-4857-abd9-6d80f70823d9
x-ms-ags-diagnostic →{"ServerInfo":{"DataCenter":"EastUS","Slice":"SliceB","Ring":"NA","ScaleUnit":"003","Host":"AGSFE_IN_28","ADSiteName":"EST"}}
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives",
"value": [
{
"createdBy": {
"user": {
"displayName": "System Account"
}
},
"createdDateTime": "2015-05-22T17:21:01Z",
"description": "This system library was created by the PointPublishing feature to store application pages.",
"id": "b!a4YqXM4QKkOPmOj73xfdss5bbYPr7MlFlXKVhtK0Dpjf4OJPyoBFQo2-YK5095t1",
"lastModifiedDateTime": "2015-05-22T17:21:03Z",
"name": "AppPages",
"webUrl": "https://mysharepoint.sharepoint.com/portals/hub/AppPages",
"quota": {
"deleted": 0,
"remaining": 0,
"total": 0,
"used": 0
}
}
<snipped a few values>
]
}
Is the change in functionality I am seeing here by design or non-intended?
Edit: When attempting the call:
https://graph.microsoft.com/v1.0/sites/root/drives?$select=id,driveType,Name
The driveType is returned
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives(id,driveType,name)",
"value": [
{
"id": "fakeId",
"name": "Documents",
"driveType": "documentLibrary"
}
]
}
When requesting drives for a site based on the site-id (/sites/{site-id}/drives) we see different attributes returned.
Just closing the loop on this. As Brad mentioned, an issue has been identified. A fix is currently in the pipeline and should be rolling out soon.
In my application, the user signs in using their Office365 credentials and then
I want to import the data of the users (id, mail, displayName) in the same
organization into my database.
When another person from the same organization logs in into my app, that other
person should see the same list of users as the first one.
I tried several queries in the Graph Explorer, but none
of them has a response, which would allow to determine that two people belong
to the same organization.
"My profile" (/v1.0/me/) response contains a lot
of data, but no tenant ID (or something similar):
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "16f5a7b6-5a15-4568-aa5a-31bb117e9967",
"businessPhones": [],
"displayName": "Anne Weiler",
"givenName": "Anne",
"jobTitle": "Manufacturing Lead",
"mail": "annew#CIE493742.onmicrosoft.com",
"mobilePhone": "+1 3528700812",
"officeLocation": null,
"preferredLanguage": "en-US",
"surname": "Weiler",
"userPrincipalName": "annew#CIE493742.onmicrosoft.com"
}
Same applies to the "all users in the organization" (/v1.0/users) response.
How can I extract the information from Microsoft Graph that would allow me to
detect that two different users work in the same organization?
You could use the id returned by the /organiozation endpoint:
https://graph.microsoft.com/v1.0/organization?$select=id,displayName
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization(id,displayName)",
"value": [
{
"id": "c07ab59f-ce09-49f8-b4c4-9c6dd4f0d8bb",
"displayName": "Microsoft API Sandbox"
}
]
}
I'm trying to access Microsoft Planner data through Graphs API from SharePoint(Online) and getting success response message also.
But the problem is "DisplayName" field is null for all user sections in JSON data (such as createdBy, assignedBy,completedBy etc)
Example :
"assignments": {
"309249ab-fe3e-4ed7-8d64-3c6187527437": {
"#odata.type": "#microsoft.graph.plannerAssignment",
"assignedBy": {
"user": {
"displayName": null,
"id": "s33dfsdf-fe3e-4ed7-8d64-3c6187527437"
}
},
"createdBy": {
"user": {
"displayName": null,
"id": "fsdfsf-fe3e-4ed7-8d64-3c6187527437"
}
"completedBy": {
"user": {
"displayName": null,
"id": "fsdlhfdals-fe3e-4ed7-8d64-3c6187527437"
}
}
How to get the display names from Planner API?
Planner data does not include display names. Display names need to be obtained separately. Group membership information for the containing group (groups/<id>/members) will contain display name (and more) information for user ids returned in plan and task information, for all users who are still members of the group. The id of the group that contains the plan is specified by the owner field of the plan. Remaining users' information can be obtained by reading those users directly (users/<id>).