I've created a spfx package containing a webpart that reads from MS Graph. The solution request the following permissions in package-solution.json:
"webApiPermissionRequests": [
{
"resource": "Microsoft Graph",
"scope": "Directory.Read.All,Directory.ReadWrite.All"
}
]
This works fine when I deploy the solution to the tenant app catalog. When I deploy the solution to a site collection app catalog it gets deployed without any error and creates an API access request (which I approve). But the webpart throws the following error when using the MSGraphClient:
Uncaught (in promise) Error: Error making HttpClient request in queryable [403] Forbidden ::> {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2021-05-20T19:40:49","request-id":"82b80ddb-...","client-request-id":"82b80ddb-..."}}}
Is this scenario not supported or have I missed any steps required?
The webApiPermissionRequests is an array of webApiPermissionRequest items. Each item defines the resource and the scope of the permission request.
Change your permissions to the below
"webApiPermissionRequests": [
{
"resource": "Microsoft Graph",
"scope": "Directory.ReadWrite.All"
},
{
"resource": "Microsoft Graph",
"scope": "Directory.ReadWrite.All"
}
]
Besides, after your deploy the solution to the tenant app catalog. You need to approve the requested Microsoft Graph permissions in SharePoint Admin Center: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/web-parts/get-started/using-microsoft-graph-apis#approve-the-requested-microsoft-graph-permissions
Related
When sharing a file on Onedrive with specific people the user got to connect using a one-time code.
How do I get those people allowed to use the shared link using the Microsoft Graph API?
Currently, the permission data only states the scope: "users", I was unable to find the users connected to the URL using the Graph Api.
This Info is available in the Onedrive UI itself.
Users in the Onedrive UI
API Response for the same link:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#drives('b***')/items('0***')/permissions/$entity",
"id": "***-c555beee2324",
"roles": [
"read"
],
"link": {
"scope": "users",
"type": "view",
"webUrl": "***qbagBM9ioYBhgkVqZx4blggM7Ow"
}
}
I'm having problem with the youtube partner api.
I have written an application that correctly establishes an oauth connection between myself and previously authorised Content Manager page and can view my associated channels, create and manage assets etc.
I have a colleague from a different organisation with a separate content manager account that manages around 20 separate channels. They can use the app to successfully complete the oauth flow. However when we try and iterate their channel listings they receive the following error:
Google_Service_Exception: { "error": { "errors": [ { "domain": "youtube.common", "reason": "cmsUserAccountNotFound", "message": "The CMS user is not allowed to act on behalf of the specified content owner." } ], "code": 403, "message": "The CMS user is not allowed to act on behalf of the specified content owner." }
If they add my account as an administrator of the Content Manager account, I can however see their pages. They have permission to manage all pages under the account (and are the administrator)
My question is:
Is this because they don't have permission to use the API (although they have authorised the App that has requested permissions)?
If we create a service account and add it to their Content Manager account and change the oauth flow to this, will this resolve the issue?
...Or is there something else I'm missing?
Many thanks in advance for advice.
{ "error": { "code": "AuthenticationError", "message": "Error authenticating with resource.", "innerError": { "request-id": "525e9057-9f49-4ef3-b3d1-200ec34033e6", "date": "2017-07-15T01:33:22" } } }
When I try to list joined teams, it always failed with this error. But just a little times it will work.
https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_list_joinedteams
Any help?
Thanks!
If you take a look at this: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/group_list
Under the Permissions section, you will see that when you create the Enterprise Application (assuming Azure AD), you need to specify the permissions and grant them to the application (If using Azure AD 2, they you set the scope in the code and not through the portal)
The problem I'm running into is that the User.Read.All and User.Read.Write require Admin privileges - I read that even with this, one only gets access to their own directory resources.
In short, you are not assigning the right permissions to your application which is why you get the error when executing the GET groups
We have a web application that OAuth with Office 365 using Azure AD. We are trying to restrict the resources we have access to.
Example: The authentication user have access to Site1, Site2 and Site3. We want to limit our application access to Site1 only. Does any one know if this is possible? I tried to go over Office 365, Azure AD and even Discovery API documentation, but I couldn't find anything helpful.
Did you also register the site1, site2 and site3 on the Azure AD? If I understood correctly, we can config the app manifest for the site1, site2 and site 3 to set the require permission like below(refer to here)
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application full access to the Todo List service on behalf of the signed-in user",
"adminConsentDisplayName": "Have full access to the Todo List service",
"id": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application full access to the todo service on your behalf",
"userConsentDisplayName": "Have full access to the todo service",
"value": "user_impersonation"
}
],
Then we need to assign the web app with right permission as the Microsoft build service like figure below:
The last step is that site1, site2, site3 need to verify whether the request has the permission to visit the resource via analyze the scope in the access token.
In order to manage Authorization by user you should implement Role Base Access Control, in this link you will find an example using Azure AD https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
Trying to access Youtube v3 api using the following link:
https://www.googleapis.com/youtube/v3/search?part=snippet&maxResults=5&q=funny& key=AIzaSyDFiabJG7l7aLfdvsLL1_DqKbZipKLvaI4
which returns
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
],
"code": 403,
"message": "Access Not Configured"
}
}
The Google Cloud Console is billing enable account for the registered app with a Browser Key as follows;
Access data that comes from a browser, and that is not associated with an account
Api Key
AIzaSyDFiabJG7l7aLfdvsLL1_DqKbZipKLvaI4
Allowed referrers - Any referrer is allowed.
Activated on
Dec 3, 2013 11:11 PM
What are the factors which would cause this condition?
Any referer allowed
Please click Edit Allowed Refers and the removed the bundle id (com.something) and again click update .
And then use same api key hope it will work
I think you haven't enabled access for "YouTube Data API v3" on your project.
Following procedure may solve your issue:
Access to Google Cloud Console
Select your project which uses YouTube Data API v3
Navigate to "APIs & auth" > "APIs", and toggle the switch next to API name.
In some cases, even with the project properly configured it gives the same error. In this case you may need to try one of the following:
Regenerate the key
Edit the allowed referrers
Remove any referrers altogether (if it complies with your project requirements, of course)
Use a Server Key instead of a Browser Key
See this question for more information