I have created a microsoft chat bot, and have set up the /adminconsent workflow, where another application has given admin consent to my bot to act on behalf of them.
#shawn-tabrizi wrote a great article about how to remove my own bot's access to their application from the UI, but I can't find a way to remove access using Microsoft Graph.
Any help would be appreciated!
I believe you're looking for Delete an appRoleAssignment granted to a service principal:
App roles which are assigned to service principals are also known as application permissions. Deleting an app role assignment for a service principal is equivalent to revoking the app-only permission grant.
I am making an application for Microsoft Teams.
Must get the teams in Microsoft Teams that the user is a direct member of.
If I use the same email under which I registered the application in Active Directory, then getting the list on request to /me/joinedTeams is not difficult.
However, if I am using someone else's Teams account, I get an UnknownError when requesting /me/joinedTeams.
I noticed that after consent and authorization in the Microsoft Graph, the user has a token shorter than mine.
However, it works with other endpoints (/me and /drive/root).
Permissions are exposed in accordance with the documentation.
Permissions:
Directory.Read.All
Directory.ReadWrite.All
email
Files.Read
Files.Read.All
Files.Read.Selected
Group.Read.All
Group.ReadWrite.All
offline_access
openid
profile
Team.ReadBasic.All
TeamsAppInstallation.ReadWriteSelfForChat.All
TeamsAppInstallation.ReadWriteSelfForTeam.All
TeamsAppInstallation.ReadWriteSelfForUser.All
TeamSettings.Read.All
TeamSettings.ReadWrite.All
User.Read
User.Read.All
User.ReadWrite.All
enter image description here
Here you are getting the error because the /me/joinedTeams doesn't support personal accounts. See this document.
It works for /me and /drive/root because it supports personal accounts. See this document and this document.
I have an error while trying to use Microsoft Graph to write a script to upload an Excel file to OneDrive then read the Excel file.
I followed Microsoft documentation to obtain the access token without user. I successfully got an access token but I got an error while using the access token to call the OneDrive API.
Here is the response:
{
"error": {
"code": "BadRequest",
"message": "Tenant does not have a SPO license.",
"innerError": {
"request-id": "5ec31d17-3aea-469f-9078-de3608f11d0d",
"date": "2017-10-10T04:34:05"
}
}
}
I don't understand why I need to have SPO license while calling graph API and how to get it. Because of this error message so I'm trying to buy a SPO license.
According to this document, I think I should see many products in the license pages but while logging in with Azure Portal and go to the License page, I see only 2 products: Azure AD Premium and Enterprise Mobility Suite:
In case anyone else has a similar issue, I was getting the same error message when using an Office 365 Home license. It turns out SPO stands for SharePoint Online, and you need an Office 365 Business account to have it. So as far as I can tell, you can't use the Microsoft Graph API to access OneDrive without having SharePoint (which only comes with the business licenses). This isn't really made clear anywhere that I could find.
Answering a couple of things here.
Background: Microsoft Graph is the developer gateway or API to many Microsoft cloud services, like Office 365, Azure Active Directory, EMS (Enterprise Mobility Suite), personal Outlook, personal OneDrive and more. Use of the API is free, but to access the data behind it, you need to actually have those services - in some cases they may be free and in other cases you may need to pay for them.
As for adding Office 365 to your existing tenant. I believe you've signed up for Azure using a Microsoft Account. This means that you already have an Azure Active Directory tenant. You can still purchase/acquire Office 365 for that tenant. All you need to do is create a new Azure AD user (not a Microsoft Account) in your tenant, and make them a company admin. Then you should be able to sign-up for Office 365 - if it asks if you already have a tenant or account, sign in with the AAD account you just created. And voila, you should have an Azure AD tenant with a subscription to Azure AND now a subscription to Office 365.
Hope this helps,
In case anyone else has a similar issue, I was getting the same error message when using a personal Microsoft account, just like OP.
So, if you are using a personal account in a registered Azure Active Directory(AAD) app, that type isn't Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) you will get this error. Also, you need to use the correct endpoint to avoid errors.
The main problem is our account type. As a personal account, there are some restrictions to access one drive files. These restrictions are:
You can only use Oauth2 Code Flow or Oauth2 Token Flow. Both are interactive approaches. [1][2]
Your application registered in AAD needs be Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and each one have a different endpoint to acquire the access token (That you can saw clicking on endpoint button, near the delete app button in app page). [3]
Enable these delegated permissions to your application registered in AAD: Files.Read, Files.Read.All, Files.ReadWrite, and Files.ReadWrite.All.
With these restrictions in mind, you can set up a workflow in Postman following these two steps(I'm using endpoints of Personal Microsoft accounts only app type and using Oauth2 Code Flow):
Important note: To use code flow, you need to enable Access tokens in Implicit grant and hybrid flows on Authentication ADD app sidebar menu.
Aquire access token:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=token&redirect_uri=ONE_OF_REGISTERED_REDIRECT_URI&scope=Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All
After you fill in your information on Postman's request, I recommend using a browser and network inspection to login with a Microsoft account and permit the app. You are getting the access token via network inspection.
List one drive root files:
https://graph.microsoft.com/v1.0/me/drive/root/children
Add a new header:
Authorization
With value:
Bearer ACCESS_TOKE_OF_STEP_1
In my angular application, due to this interactive way restriction to access one drive files, I changed my authentication method to use Microsoft Authentication Library(MSAL) to avoid every time that need send an API request open a popup window to authenticate a valid Microsoft account.
Both OneDrive for Business and the Excel APIs require Office 365. Based on your screenshot, this looks like a standalone Azure Active Directory tenant (i.e. not linked to O365).
The reason for the SPO License message is that OneDrive for Business is a special SharePoint Online document library that is automatically provisioned for users.
Are you able to access the OneDrive contents (including the Excel file) manually through browser after logging in with your account in the same tenant?
If you are able to access the drive and file manually, please use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to sign in using the same account and make the call to get the Drive contents. When you’re signing-in, you would be presented with a consent page listing the permissions needed to be granted. Please make a note of those permissions and check whether the permission match to those required for accessing the drive.
If you do not have appropriate SPO license yet, you can try setting up a free Office-365 trial account (https://products.office.com/en-in/business/office-365-enterprise-e3-business-software) and test the APIs.
To add to Kikutos' answer answer, you can use this Azure sample to acquire the token via MSAL.NET.
The only thing you need to change is the Instance property, which needs to be set to:
https://login.microsoftonline.com/consumers/
We are creating a service that requires permission to view other users' (inside the organization) emails. I'm under the impression that two required permissions are Mail.Read and Directory.Read.All. Since I'm not an admin, I got our admin to try it and he still gets 'Access denied'. Is it possible for the admin to give me the necessary directory permissions?
Am I missing something?
(Sorry if I am ambiguous, I am brand new to Graph. Please ask me any question that will help clarify)
Make sure you've enabled the Mail.Read application permission (Read mail in all mailboxes). There is also a Mail.Read delegated permission (Read user mail), which gives you access only to the signed-in user's mailbox.
An admin must grant that permission in Azure Portal for the application. From that point on, the application by itself (with no signed-in user) should be able to access any user's email in the organization.
Tool: postman
Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
Got token back
Used the token and did a GET on a User OK
Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.
After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App