I have got channels:manage scope for the bot using the OAuth flow, and I am using the conversations.create API to create channels. The API is successful in some Slack workspaces and is not in others. The API is returning a restricted_action error code.
While I understand that it could be because of some workspace admin settings, I am unable to figure out what setting it is. I am unable to give a workaround for my customers.
Can someone throw light on what setting it could be, so that I can better serve my customers?
This is likely similar to this question's answer, which is that the user authorising your app does not have the permission to perform the action themselves and thus cannot grant it to the bot.
A workaround for this might be to detect that the action is being restricted, and DM the installing user asking for them to have an administrator (or someone with the right privileges) install the bot. Slack allows admins to restrict channels creation to admins only, which is likely what is happening here.
Related
So I applied as a Twitter Dev to make a bot that tweets stuff. About two days later, I got access. When I ran the code with the tokens it gave me, it posts from my account.
My question: Is there a way for me to make it send as another account (a bot account) without me having to apply again?
Yes, you can use the Sign-in with Twitter flow to authenticate a different user to your app, and then use the Access Token and Access Token Secret for that user to post to that account. This is the correct way to implement things - you should not be applying for multiple developer accounts.
You can also use tools like twurl or another CLI tool to
https://github.com/twitter/twurl/
https://github.com/smaeda-ks/tw-oob-oauth-cli
https://github.com/olithissen/twitter-oob
Did you get elevated access from tweeter or Essential? I have a stack error:
You currently have Essential access which includes access to Twitter API v2 endpoints only.
If you need access to this endpoint, you’ll need to apply for Elevated access via the Developer Portal.
It's hard to get Elevated now.
I have a windows service that imports support emails into a CRM from 4 different email accounts. I am currently using IMAP, but would like to move to Microsoft Graph.
After much investigating I am only seeing two options to make this happen:
Using a delegated permission: Implement a user interface to authenticate to the email accounts via OAuth (won't work for a daemon process)
Using an application permission: Get permission from my email admin to access ALL email messages in the company so I can process email from these four accounts (It will be a cold day in Hades when I get this kind of permission on a corporate level)
So, from what I can see, I am stuck. Can anyone recommend another option, or do I go back to IMAP?
With 2 you could scope the permissions so your application only has access to those four mailboxes in question https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access. For the corporate this would be the most secure option eg no user account/password or licence and you app is just restricted to email on those four account.
So, from what I can see, I am stuck. Can anyone recommend another option, or do I go back to IMAP?
In security terms even option 1 is generally going to be better the IMAP (especially using basic auth) and you can use it in a daemon if you use the ROPC grant https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc which is going to be the same as what you doing with IMAP.
I am trying to read a person's Out of Office text with MSGraph. I understand the only way to do this is by getting the person's mailbox settings as indicated here.
Is there another way to read a person's Out of Office Message?
Assuming there is no other way I then have read for example in this link that to call GET /users/{id|userPrincipalName}/mailboxSettings you need to have Application Permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. Is this still the case? It does not make sense to me that you need Application level permissions. Is there not a delegated (admin consent required) MailboxSettings.Read.All??? The problem is that most IT departments will be hesitant (or pigs are going to fly before some IT departments) give an application this permission to run without a signed in user.
Alternatively, I see that there is a User property of mailboxsettings, thus using the $select query parameter you can call this https://graph.microsoft.com/v1.0/users/{id}?$select=mailboxSettings does or should this work with the User.Read.All.
UPDATE in accordance with the suggestion below I have added 2 suggestions to the MSGraph user voice.
A person's out of office information should be included with their calendar / freebusy (getschedule) information.
There should be a Mailboxsettings.Read.All permission.
Please click on the link and vote them up if you agree.
No, there is no MailboxSettings.Read.All or MailboxSettings.Read.Shared. You can see the list at https://learn.microsoft.com/graph/permissions-reference#mail-permissions. I encourage you to request this as a feature at https://microsoftgraph.uservoice.com.
One possible approach given the currently available permissions around this API is to use app permissions and configure an app access policy to limit the mailboxes it can access - if that's the concern you're mentioning. I'm not clear on why it would be preferable to give a user account access to this info for all mailboxes in an org but not an app service principal.
It isn't included as part of User.Read.All by design. It's not really a property on the user, it's config stored in the mailbox. It's abstracted as a property in Graph, but it requires additional permissions to access.
I understand that basic authentication for EWS is going away. I have a need for a service (daemon) to monitor a mailbox for incoming mail.
I've setup an application in Azure and I have the daemon running which can get the token successfully.
The issue I am having is that it seems the application will have access to every mailbox. I do not want my application to have access to the mailbox of each user that exists in exchange, but just to one mailbox. Either this does not exist, or I cannot seem to find where to set this up so it is granular to one mailbox.
Right now, AFAIK, you get access to the entire Exchange, which seems very bad. I am going to try to get thru the support chain to see if my registered app can be given a scope of mailboxes rather than the whole deal. If I get an answer I'll post back here. Perhaps someone else will chime in while I'm off on my quest.
I cannot find a good working sample that calls the Graph API and retrieves the user's contacts from within an Azure Function. Part of the issue is a lack of documentation and samples as this seems new-ish. Is this even possible? I am trying to create a function that can take a phone number and check against the user's contacts to see if the contact exists. So far, the only way I can achieve authentication is to use Postman to retrieve a token manually. That token didn't even work to retrieve the contacts. I know I am doing something wrong but I think what I really need is the big picture. I'm missing something. Thank you for your help.
The auth token binding may help at least with the act of getting the token. In this case, if it's on behalf of the user invoking the function, you'll want to use the identity: userFromRequest setup. Keep in mind that for debugging, you'd still have to acquire a user token for the app and attach that to calls to your function, but you can use the function app's /.auth/login/aad and /.auth/me endpoints for that.
Make sure that your application registration has the Contacts.Read permission. This is required for the contacts API.Today, the UX for App Service Authentication / Authorization today links to the existing permissions UX, which unfortunately uses different names for things. I'd recommend navigating directly to the AAD section of the portal and selecting App registrations (Preview). Find your app registration there (defaults to same as your app name), and browse through the API permissions there. That way the right names show up and will match the Graph docs.