I am setting up microsoft graph auth and API calls for the firs time in a new app.
i can successfully authenticate a user, return access and refresh tokens, then make the first call to get my profile info.
I can even make this call as the app and not a 'user'.
where i am running into issues is making calls to get my calendar by adding /calendars to the end of my profile call. when I do this I get this error:
{
"error": {
"code": "OrganizationFromTenantGuidNotFound",
"message": "The tenant for tenant guid '1dd120fe-cbd9-492b-b36d-12e4aa856cf3' does not exist.",
"innerError ": {
"oAuthEventOperationId ": " ae00f89a - 1 d34 - 4299 - af82 - 93 d5c0409ada ",
" oAuthEventcV ": " mJu0K0YLfbqLxFewMqMcug .1 .1 ",
"errorUrl ": "https: //aka.ms/autherrors#error-InvalidTenant",
"requestId": "ae055090-cad5-4b0f-ad7b-9c0731c75bd4",
"date": "2021-09-15T16:18:10"
}
}
}
as a note, I get the same error when making the call as either the user whose calendar I am requesting or as the application.
in the application I do have the permissions set like this
and for reference, here is the URL I am calling that works
https://graph.microsoft.com/v1.0/users/d4d0b2ef-6a3b-4254-b8bb-eb358194458b
and the one that does not
https://graph.microsoft.com/v1.0/users/d4d0b2ef-6a3b-4254-b8bb-eb358194458b/calendars
here is a video demonstrating the issue and granted permissions.
https://vimeo.com/605796641
It could be because Azure AD you created does not have Office 365. Thus it cannot have calendars. /users works because that is an Azure AD endpoint.
If you want to access calendars for your development O365 tenant, register the app in your O365 AAD tenant that you got when you created the development tenant
Follow the steps below -
You need a Microsoft office 365 account with a subscription, can get this by applying for one on office 365 develop.
Upon creating one, follow the instructions and add the apps to it.
Go to Azure Portal and log in with your office 365 account.
Create an app under AAD -> App registration
Try to access https://graph.microsoft.com/v1.0/users/{user_id}/calendars.
Related
We are trying to identify Sharepoint sites user has access to using Graph API. This is working just fine for internal users. However when we try this for external user (already guested in Azure AD), we are getting below error -
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2022-06-20T16:28:01",
"request-id": "cde68280-5538-40c3-af60-6602bd7c1214",
"client-request-id": "ef1f7a56-caf4-e1f2-b2b0-57577fa96f03"
}
}
We have tried to use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer and it's the same error there as well.
if you are using the /common endpoint a guest user has its own shadow tenant and wont be pointing to the AAD tenant it has been invited into, thus they cannot access resources like a normal member could, plus they have limitied default permissions and that does not include groups/site access unless they have been added to the area as a direct member.
However, if you are defining the tenant id in the authority then the above is not relevent.
You are right, I tried to do the same thing.
My workaround solution is testing with MS Graph Explorer, its worked for me, then you can code the same requests to talk to Graph API. Here are the steps:
Get your tenant Id using this site : https://www.whatismytenantid.com/
Open MS Graph Explorer like this : https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantId
Sign in to MS Graph Explorer with the guess account
You should see the name of your guess signed in with your tenant if not sign out and sign in again.
Unfortunately, You won't be able to lists the SharePoint Sites using https://graph.microsoft.com/v1.0/sites?search=* (honestly I do not know why, maybe because the guest has only a Family account ? Its worked fine with a user in the same org.
You need to know the siteId, then you can list the document libraries, folders, files, etc... using a request like this : https://graph.microsoft.com/v1.0/sites/siteId/drives
I wish I can get the siteId from MS Graph Explorer for a guest user, but looks like it is not possible. BTW, doing the same on Google WorkSpace is a no brainer using shared drives, not like Microsoft at all...
Required: MS Graph App that has access to companyB.sharepoint.com drive/file items for a member of CompanyA
I am from Company/Organisation A. I have been granted access to a sharepoint site of Company/Orgtanisation B.
https://companyB.sharepoint.com/sites/company_name/XXXX%20Files/Forms/AllItems.aspx
Via a browser this works as expected (i.e. access to the sharepoint site)
I have created a Multi-Tenant App (Azure dev portal) and have been able to receive a user delegated access token. refresh token works fine.
The App (Overview) => Supported Account types: Multiple organisations.
Using the Graph Explorer (Authenticated for company A user) https://developer.microsoft.com/en-us/graph/graph-explorer
https://graph.microsoft.com/v1.0/sites/companyB.sharepoint.com:/sites
returns
{
"error": {
"code": "invalidRequest",
"message": "Invalid hostname for this tenancy",
"innerError": {
"date": "2022-04-12T04:36:00",
"request-id": "qqq21a6d3-xxx-xxx-xxx-xxx390a4yyy",
"client-request-id": "qqq382fa-xxx-xxx-xxx-xxx708yyy"
}
}
}
What I'm trying to achieve is to get access to and obtain a list of files contained in the Sharepoint site under CompanyB. Then being able to walk through the files, add/edit/delete files to these directories (or whatever terminology MS uses for Sites and Files/Folders within a site)
I cannot seem to find the 'SiteID' or 'DriveId' that the URL references point to...
Would it be feasible to create an APP under Company B (ie create a dev account for them) and create a simpler, non verified, organisation only app under company B and then login as a user from Company A?
Any pointers of examples of anyone that has done this is appreciated.
I am attempting to create user social accounts for Microsoft logins on my B2C tenant without using the sign up userflow. When the sign up userflow is ran and you register a Microsoft Account a user is created in the tenant with a source of "Microsoft Account".
I have been experimenting with the Microsoft Graph API using the create user post request where in i can create a working local account fine but am having issues creating a Microsoft user that works with the B2C Login using the examples in the link below. I don't think I have a valid issuerAssignedId for the Microsoft accounts I am creating and I am not actually trying to migrate existing accounts. The user record is created in B2C when the post request is ran but when i try to log in using the microsoft account it is responding back with AADB2C99002: User does not exist.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example
Not exact values but example of payload i am using:
{
"displayName": "Test Name",
"identities": [
{
"signInType": "emailAddress",
"issuer": "mytenant.onmicrosoft.com",
"issuerAssignedId": "test#outlook.com"
},
{
"signInType": "federated",
"issuer": "live.com",
"issuerAssignedId": "test#outlook.com"
}
],
"passwordProfile" : {
"password": "password-value",
"forceChangePasswordNextSignIn": false
},
"passwordPolicies": "DisablePasswordExpiration"
}
Is there a way I can achieve this? Thanks.
I don't think I have a valid issuerAssignedId for the Microsoft
accounts I am creating and I am not actually trying to migrate
existing accounts.
You cannot use Microsoft Graph API to create an MSA which doesn't exist.
Although the user record is created in B2C when the post request is ran, it is only a record as you mentioned.
The real identity authentication process is done by MSA rather than B2C.
So AADB2C99002: User does not exist is the expected behavior in this case.
You can set a non-existing MSA while calling this Microsoft graph endpoint, but it will not create an MSA in the MSA IDP side. So you cannot log in with it.
The best practice is to create the MSA in advance and use it for this Graph call.
I have a office 365 account and Iwant to access my emails
I followed Microsoft graph documentation
https://learn.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
I have selected the permissions asked as you see below :
Permissions Image
I have requested the token and the following request does not work :
GET https://graph.microsoft.com/v1.0/me/mailFolders
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
But when I use the next one , it works :
GET https://graph.microsoft.com/v1.0/users('xxx.yyy#zzz.onmicrosoft.com')/mailFolders('Inbox')/messages
I need to use the first endpoint which everybody is using on the internet , I can't get why I doesn't work for me
In Graph, the /me/ endpoint is an alias for the currently signed in user (based on the token). An application without a user present will not be able to query /me/, and should instead specify the user id of the user of interest (/users/user id).
If you call this endpint /me/mailFolders which means listing the mailFolders of the currently signed in user. So you need to add delegated permissions and use the flow except client credential flow to get access token.
If you still would like to use application permissions, you need to call this endpoint /users/{id | userPrincipalName}/mailFolders.
About the error(Resource does not exist or one of its queried reference-property objects are not present.), see the code sample of this issue.
I've created a web app with Microsoft Graph API and it has been completed/tested and everything is working as expected. This web app is aimed to create calendar events for our Office 365 users. Right now there are a total of 9 users that calendar events are created for and two of them are having issues.
This is the specific response I get from Microsoft Graph API if I'm creating a calendar event for a user that is having issues:
Message:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"request-id": "4d6efba0-fce2-4abe-9f60-be3df8b55d6f",
"date": "2018-08-29T15:26:58"
}
}
}
I know that everything I'm doing is correct as the other seven users have no issues so the issue must be with the office 365 account its self. I've looked into account settings/permissions and everything I've checked is identical to a user that is working.
One of the biggest issues I'm facing with this problem is I don't understand the error its self. When it says "ResourceNotFound" my guess is that it's saying that it can't find the user account even though it does exist.
My question is what should be the next steps be in order to find a resolution? Should I see if I can recreate the mailboxes and transfer the email from the broken account to a new account? Or should I continue to try to find the root problem?