I would like to use Microsoft Graph and this works:
await graphClient.Users["xxxxxxx-xxxx-xxx-xxxx-xxxxxxx"]
.Request()
.GetAsync();
And this throws the OrganizationFromTenantGuidNotFound error:
await graphClient.Users["xxxxxxx-xxxx-xxx-xxxx-xxxxxxx"]
.SendMail(message, false)
.Request()
.PostAsync()
I authenticate as an application with my client id, tenant id and secret.
I have set mail permissions in my app registration and the user is assigned.
Graph permissions with admin consent
I have tried to define the scope as "https://graph.microsoft.com/mail.send/.default" but then I get this error: MsalServiceException: AADSTS500011: The resource principal named https://graph.microsoft.com/mail.send was not found in the tenant...
I have also tried adding a new user to my app registration but that gives the same error.
My AAD account does have a Microsoft 365 Family subscription and I have an Azure trial account.
What else should I check? Thank you!
OrganizationFromTenantGuidNotFound comes mostly when there is no mailbox present.
You should have the Exchange Online License to work with SendMail endpoint because this endpoint is on exchange workload. And also, as you have specified the permissions in Azure AD you can simply add the scope as https://graph.microsoft.com/.default which pulls all the given permissions in Azure AD and add to your token.
Make sure you are using the Client Credential Flow(Application context) to get the App token.
Related
I'm trying to figure out how to use Microsoft Graph API in order to get information on an Azure AD B2C tenant's Policy Keys. It seems like it should be possible given the following documentation, but I keep getting an InvalidAuthenticationToken error.
Documentation link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
What exactly do I need to do to call the endpoint shown in here (the /trustFramework/keySets endpoint)? https://learn.microsoft.com/en-us/graph/api/trustframework-list-keysets?view=graph-rest-beta&tabs=http
In postman, I'm simply firing off the get request with Basic auth using my Portal credentials. Am I going about this the right way?
I tried to reproduce the same in my environment. and received similar error *InvalidAuthenticationToken*
Then , I checked that I missed to give authorization header with bearer token ,
Which Is required parameter to query that as per : List keySets - Microsoft Graph beta | Microsoft Learn
Below are the scopes , I have given admin consent to. delegated and application permissions like openid offline_access profile User.ReadWrite.All TrustFrameworkKeySet.Read.All Policy.ReadWrite.TrustFramework AuditLog.Read.All
Do a get request at https://login.microsoftonline.com/xxxxxx063/oauth2/v2.0/token to receive a token for the application endpoint in postman with the scope for graph i.e; https://graph.microsoft.com/.default , for that particular tenant (here used tenantId of azure ad b2c).
Give required values like client_id, client_secret for client_credential flow
Then try to query graph using that token :
GET https://graph.microsoft.com/beta/trustFramework/keySets ,
Following above steps with correct values and granting admin consent , I could successfully query the keySets
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I have a Microsoft Graph & MSA/AAD v2 daemon which is exclusively for Server Side API access. In the Azure Portal I have granted admin consent for my Microsoft account (MSA) for User.Read.All and Files.Read.All.
I can successfully get a token, and I have tried both /me/drive/root and /users/{user_guid}/drive/root with the same return result:
GraphError {
statusCode: 400,
code: 'BadRequest',
message: 'Tenant does not have a SPO license.',
requestId: 'guid',
date: 2020-06-08T09:53:12.000Z,
body: '{"code":"BadRequest","message":"Tenant does not have a SPO license.","innerError":{"request-id":"guid","date":"2020-06-08T02:53:12"}}'
}
Note: I'm aware SPO refers to SharePoint Online & OneDrive for Business, however this is for a Microsoft account user, and I am intending to access their OneDrive Consumer (i.e. http://onedrive.live.com).
Is the Graph incapable of accessing OneDrive for Consumers? Or is it only possible with Delegated permissions? I did not see any reference in both the Graph and OneDrive dev docs.
After talking with the Microsoft Identity team, it is not currently a supported scenario to access a Microsoft account user's personal OneDrive (or other Microsoft Graph) content using the client_credentials grant type.
You can obtain admin consent for an MSA user, however those scenarios are limited to the MSA user operating as a guest user in your AAD tenant, or requires them to otherwise have an M365 license and associated SharePoint Online instance.
If you are looking to access an MSA user's content from a service, persisting the refresh token in the service and obtaining consent for offline_access currently appears to be the recommended method.
We have to generate an online meeting request from our Dynamics CRM System. We tried using the Microsoft graphs API, and were able to generate the token. However while submitting the request, we get a 403 Forbidden Error. We have registered our application in Azure and also given the required API permissions.
I have attached the screenshots of our testing. I am testing this on my personal Azure test account.
Screenshots
The user has to consent the permission:
Consent experience
Azure AD will sign the user in and ensure their consent for the permissions your app requests.
At this point, the user will be asked to enter their credentials to authenticate with Microsoft. The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.
Tool: postman
Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
Got token back
Used the token and did a GET on a User OK
Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.
After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App