I have a b2c environment setup and linked to an application which allows users to sign up.
One of the processes I want to run on a schedule is to update the PasswordProfile of users so that in certain situations I can force users to change their password on their next sign in attempt.
As documented (https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=csharp#permissions), I have added and consented to the Directory.AccessAsUser.All (Delegated) permission for the application accessing Microsoft Graph.
Request:
https://graph.microsoft.com/v1.0/users/{userId}
{
"passwordProfile": {
"forceChangePasswordNextSignIn": true
}
}
When I run this either in C# code or through Postman, it returns the following error message:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
...
However I have been able to run the same request through https://developer.microsoft.com/en-us/graph/graph-explorer, where I have been able to update the PasswordProfile of a user.
The strange thing, is if I then return to the C# code or Postman, and run the same operation against the SAME user that I updated in Graph Explorer, it now works.
Therefore it appears that I have the correct permissions set, but I can only update PasswordProfile if it is not already null. However, when the user is created when signing up through the B2C screens, the PasswordProfile is set to null at this point.
Has anyone come across this before? Or able to reproduce this?
I needed to add the application as a 'Global Administrator' as detailed in the accepted answer here:
https://learn.microsoft.com/en-us/answers/questions/9024/error-while-updating-the-password-profile.html
Related
I have a office 365 account and Iwant to access my emails
I followed Microsoft graph documentation
https://learn.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
I have selected the permissions asked as you see below :
Permissions Image
I have requested the token and the following request does not work :
GET https://graph.microsoft.com/v1.0/me/mailFolders
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
But when I use the next one , it works :
GET https://graph.microsoft.com/v1.0/users('xxx.yyy#zzz.onmicrosoft.com')/mailFolders('Inbox')/messages
I need to use the first endpoint which everybody is using on the internet , I can't get why I doesn't work for me
In Graph, the /me/ endpoint is an alias for the currently signed in user (based on the token). An application without a user present will not be able to query /me/, and should instead specify the user id of the user of interest (/users/user id).
If you call this endpint /me/mailFolders which means listing the mailFolders of the currently signed in user. So you need to add delegated permissions and use the flow except client credential flow to get access token.
If you still would like to use application permissions, you need to call this endpoint /users/{id | userPrincipalName}/mailFolders.
About the error(Resource does not exist or one of its queried reference-property objects are not present.), see the code sample of this issue.
We have created a WP that we have published to Teams that would give owners the possibility to modify the external sharing setting ("AllowToAddGuests") from a tab in their Teams.
We are experiencing a problem when we try to do the set of AllowToAddGuests using an owner account.
The Teams app has :
{
"resource": "Microsoft Graph",
"scope": "Directory.ReadWrite.All"
}
As per MS Graph docs
https://learn.microsoft.com/en-us/graph/api/directorysetting-update?view=graph-rest-beta&tabs=http
should work fine with delegated.
If I execute the graph call in the graph explorer using the owner user it gives the same access error.
All permissions are granted at admin level.
If a global admin is used, then all works fine.
The error I am receiving is the following:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-07-02T15:18:56",
"request-id": "84fe9be9-a4b0-4023-93e6-68dd780ce2ea"
}
}
}
Has the owner the possibility to change the flag AllowToAddGuests or should I do this via an App reg?
Thanks for the answers.
Alex
I am posting this here so that if anybody looks for the same information, they have it here.
At the time of this writing, the answer we got from Microsoft is that for this call to work, the user performing the call (in our case one of the owners) needs to also be a Group Administrator. For our use case this was not doable as any user in the company can potentially be an owner of a MS Teams.
The solution we have chosen is to use application permission with Directory.ReadWrite.All to perform the call. This works as expected now.
Microsoft has also promised they will update the documentation in order to include the current information.
I'm trying to access reports from Graph API using the Graph Explorer. However, it throws 403 Unauthorised errors.
For example the request:
GET https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')
throws the following error
{
"error": {
"code": "S2SUnauthorized",
"message": "Invalid permission.",
"innerError": {
"request-id": "fda8c3ec-1949-46a9-b179-e1017f7e94ab",
"date": "2020-04-02T01:01:08"
}
}
}:
According to the documentation this requires the permissions 'Reports.Read.All'
When looking at the permissions I have in the explorer it says that Reports.Read.All permission is 'consented'
This worked without issues in early December when I was first testing this, so unless something changed I don't know what is going on.
Am I misunderstanding what consented means in this context, or is this a problem with the Graph Explorer as this permission is marked as 'preview'?
Regardless of the source of the problem, does anyone know a way around this/how to fix it?
Please make sure,
try repro the above using MS Graph Explorer with your tenant!!
if you're using delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user the appropriate Azure AD limited administrator role
Let me know still you can repro the issue.
I'm attempting to get tasks assigned to a specific user from the Graph API, so based off of the sample query in the graph explorer i'm using this endpoint
https://graph.microsoft.com/v1.0/users/<user-email>/planner/tasks
Which works fine for whatever user I'm signed in as, but attempting to get tasks for a user I'm not signed in as will always return with a 403 and say I don't have the required permissions. Group.ReadWrite.All is granted by admin, and according to the graph docs, that should be fine, but no luck.
I've also just created a new demo tenant and one by one granted permissions in the graph explorer with admin and still no luck! So i'm doubting the issue really is permissions. And for the record I've tried v1.0 and beta endpoints, and I've attempted this in a SPFx Web Part, and it doesn't work in practice either.
Not sure that it will help, but this is what is being returned each time:
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "b02e3529-a4ae-4825-b4e6-7fc9b1fa228e",
"date": "2019-03-27T12:28:41"
}
}
}
Anyone else ran into this issue or know of a workaround?
Reading tasks for other people is not allowed. We are investigating app-only request support, which should enable this scenario.
I'm trying to update the preferred language of a user using the /me endpoint or the /users/{currentUserID} endpoint but this always throws:
403 "Insufficient privileges to complete the operation."
I have checked the permissions according to the documentation page and added the permissions for User.ReadWrite, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All. This does not seem to have any effect. Is the documentation incorrect or are there still permissions missing?
The request works fine if I execute it with an azure ad administrator user.
EDIT: 2019-04-18
I did some more testing:
I have created a new demo tenant using https://demos.microsoft.com
I logged in graph explorer with the tenant admin account and gave admin consent for User.ReadWrite (and other default permissions asked by graph explorer).
I logged in with the Demo User.
I set the preferredlanguage to "en-US" using patch on https://graph.microsoft.com/v1.0/me/. This was successful.
I tried to change the language again to "de-DE". This did not work:
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d1d30483-a3da-4775-af5b-4a3dd9823f11",
"date": "2019-04-18T07:40:27"
}
Therefore it seems to work when setting the language for the first time. But updating it afterwards is impossible.
Neither documentation issue nor Graph permission missing. You need to check the permission in your azure AD but not just the Graph Exploer. My test based on two account(one MS account and one trial account which is test#xx.onmicrosoft). The trial one works well while the MS account cannot.
Within organizations, the privileges of the signed-in user may be
determined by policy or by membership in one or more administrator
roles. For more information about administrator roles, see Assigning
administrator roles in Azure Active Directory.
Based on the test the documentation, not all users can change all profile data, some data have limitation by organization policy which cannot be ignore by the Grape Scopes settings.
For worked case, Directory.AccessAsUser.All is not essential
Just to close this issue:
I did some testing with Microsoft Support. For some reason updating preferredLanguage is only possible when the app has Directory.AccessAsUser.All.
Quite a heavy permission for just updating the user language...