Microsoft Graph API has provisions for accessing todoTask - it does not however have application level permissions (those are listed as "not supported"). How would an application implement creating / updating tasks and getting notifications for multiple users? Seems like a glaring hole in the api framework
Yes application level permissions are not yet supported. Please file a user voice here for your ask so that it could be considered in future.
Thanks!
Related
I am looking at Teams Channel Create Chat Message method (currently only available in beta).
We have an application which manages groups of users and would like to integrate with MS Teams - create a Team, add Channels and send messages to the channel - all without a user. For this I have followed "Get access without a user".
However I notice that for this and other message level functions (list messages) Application permission is "Not Supported" and for our use case Delegated permissions is not really an option (similar to this).
Does anyone know why these are only available for Delegated Permission? is there a plan to enable this or is will this always not be "Not supported" for Application Access?
I appreciate that giving an Application full access to all messages may be something that Admins would not be keen on, but being able to post and retrieve messages from channels the application has created seems (to me) to be reasonable (perhaps the permissions model isn't that fine grained yet).
This is possibly an overlap of Unable to “List channel messages” on Azure AD Graph API Beta - the OPs answer contains an unanswered similar question.
We aren't currently sharing road map externally of when these types of things are being updated.
What we do ask is that you request these on our UserVoice channel so that we can track the demand and prioritize accordingly. If you can go here and add this request I'd appreciate this and I'll let the PM who owns this know https://developer.microsoft.com/en-us/graph/support
As per (&today) https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#intune-device-management-permissions it says "Applications Permissions - None".
Is this going to remain that way or is it planned that at some point we will be able to access Intune as an application (running without a signed-in user present)?
We are considering adding this functionality, yes. However, we don't have a committed timeline as of now. But, we understand the customer and partner interest here, and thanks for helping keep this top of mind for us.
-Dave [MSFT]
Is it possible an application with app-only permissions to change the availability (Presence's state) of group users?
Reading the known issues for "Group conversations, events" delegate permissions are needed. So it seems not possible.
Any other way?
(BTW UCWA is not a way as it needs also user's credentials AFAIK.)
At the moment there is no support for Skype or Skype for Business within Microsoft Graph. I recommend visiting the UserVoice and adding this suggestion.
You can find the current set of Skype API's at the Skype Developer Platform site. I think you may be looking for the Trusted Application API (Public Preview) which brings a lot of the UCMA functionality to Skype for Business Online.
I'm trying to use Microsoft Graph from my app via REST API graph.microsoft.com/beta/schemaExtensions
Here is what I did:
Register app at https://apps.dev.microsoft.com
Checked for all Delegated and Application authorizations
Got access token without a user based on OAuth Client Credentials Grant flow
Asked for Admin Consent with access token retrieved from point 3. and it was successful using https://login.microsoftonline.com/tenant/adminconsent?client_id=xxx&state=12345&redirect_uri=http://localhost:8081
POST to /beta/schemaExtensions with access token retrieved from point 3. and I have this error:
Authorization_RequestDenied - Insufficient privileges to complete the operation
So here are my questions, hoping someone could help me:
How do I check if delegate authorization is ok after Admin Consent request?
Which privileges are missing to use schemaExtensions?
My app should work without a user, it's the preferred approach.
Couple of things here.
Extensions is GA and available on the /v1.0 version. Please use that instead of /beta.
We don't support schema extension registration using application permissions. It requires the Directory.AccessAsUser.All permission today (we're also investigating if there's another less privileged permission we can use here) per the create schema extensions topic.
Registering a schema extension can be a separate process from your application actually using the extension to create custom data on target object instances.
As such we are making a change (should be available shortly) to allow you to register and manage schema extensions for your app using Graph Explorer. There is also a user voice request to have a UI experience in app registration for schema registration/management. Please vote for this if it's important to you.
I'll update this post once Graph Explorer supports registering and managing schema extensions.
Hope this helps,
To answer the follow up question, the calling user should have read/write access to add custom data to another user. However, you can use open extensions to add custom data using /me/extensions to calling user (as long as the app has user.readwrite or higher permissions).
We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)