I'm trying to copy a mail using the Microsoft Graph API and Postman. I'm copying a mail from my personal work mailbox to a shared mailbox folder using this POST URL: https://graph.microsoft.com/v1.0/Users/xxx-my-id-xxx/messages/xxx-a-message-id/copy, the body of the request = { "destinationId": "xxx-id-of-target-folder-in-shared-maibox-xxxx" } This has worked for years using the deprecated outlook v2.0 API, but until recent, I get this error: "error": { "code": "ErrorMultipleMailboxesNotSupportedForRest", "message": "Rest does not support copying items between multiple mailboxes, only single mailbox copy operations are supported." }. I tried switching to the graph API but keep getting the same error. What am I doing wrong?
Upon authentication, I use the following OAuth2 scopes: openid Mail.ReadWrite.Shared offline_access profile email
Related
So I would like to prevent the usage of delegated user authentication flow but still want to use the findMeetingTimes endpoint. But it doesn't seem available for client credential flow, right?
I simply tried to post on this endpoint:
https://graph.microsoft.com/v1.0/findMeetingTimes
But it seems like it doesn't exist. Wrror response message:
"message": "Resource not found for the segment 'findMeetingTimes'."
Is there any workaround for using it with the application flow?
According to the documentation findMeetingTimes is not supported for Application permission type
Resources:
findMeetingTimes
When using the Microsoft Graph API endpoint /v1.0/me/people I'm presented with a 404 error despite consented with People.Read and People.Read.All permissions. I've added the response object and a screenshot of Graph Explorer below. Any suggestions on how to get a 200 OK instead? An empty array would be sufficient for me.
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"date": "2021-04-24T07:09:23",
...
}
}
}
I'm experiencing this error on a Azure AD tenant I created for testing purposes with only two user objects and two groups. There are no Microsoft 365 services connected to this tenant. Judging by the People API documentation I can imagine this might have something to do with the 404 error, although I couldn't find it clearly specified that Microsoft 365 licenses are a requirement for the People API. It's good to note that other endpoints such as /v1.0/users and /v1.0/groups work.
Yes, To use the people API you need to have exchange license as all the people details are stored in Exchange.
You are able to get User and Group details because they are coming from Directory Services(Azure Active Directory) workload .
My company is using Microsoft 365 Business Standard licenses. We are using email through these accounts. We also have a few shared mailboxes. We are trying to create an app that uses the microsoft graph application permissions (rather than the delegated permissions) so the application can access one of the shared mailboxes without needing to be authenticated under the current user.
This is the steps we have taken so far:
Within Microsoft Azure, we have an application in which we have granted application api permissions for Mail.Read, and we have accepted Admin consent.
We authorized as an app, not as a user, in the application using this endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, pointing out the required parameters for sending a request. Then, MS API builds this link:
https://login.microsoftonline.com/{some_string}/oauth2/v2.0/authorize?state={some_string}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&redirect_uri=http%3A%2F%2Flocalhost&client_id={some_string}
When we follow the link, we get to the standard authorization form on the site. After we log in, a link is created, where we take the code and create the token: http://localhost/?code={some_string}&state={some_string}&session_state={some_string}
When we try to hit this endpoint: https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages, we get this response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2020-09-14T11:22:30",
"request-id": "{some_string}",
"client-request-id": "{some_string}"
}
}
}
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Any help or direction on what needs to be done to make this query work would be greatly appreciated. Thank you!
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Yes you would need to send the AccessToken in the Authorization header, you should also include the x-anchormailbox header which helps route the request to correct mailbox eg
GET https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
X-AnchorMailbox: sharedmailbox#domain.com
The other thing you might want to check is to ensure you have the correct scopes in your token you can use https://jwt.io/ for that
In order to use application permissions you will need to use the client credentials auth flow (not the authorization code auth flow which uses delegated permissions). To get a token make a request against "/oauth2/v2.0/token" and specify "grant_type=client_credentials" in the request. See examples of client credentials auth flow here for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
I am trying to use Microsoft Graph API in Power Automate where I make calls out to perform some actions. I have been successful with all Graph calls up to this one where I get a 503 serviceNotAvailable error.
The call I am trying is below
GET https://graph.microsoft.com/v1.0/groups/b40e54ac-5626-xxxx-xxxx-xxxxxxxxxxxx/drive/root:/filepath.docx
If I paste this directly into Graph Explorer on the Graph API site it works fine so I am happy that the call is syntactically correct.
I can't get the call to work through Power Automate. I also have tried this through Postman and am getting the same 503 error.
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "87725851-77fb-xxxx-xxxx-xxxxxxxxxxxx",
"date": "2020-03-01T16:55:43"
}
}
}
Permissions in my app registration are
Directory.AccessAsUser.All
Directory.Read.All
Directory.Read.All
Directory.ReadWrite.All
Directory.ReadWrite.All
Files.Read.All
Files.ReadWrite.All
Group.Create
Group.Read.All
Group.ReadWrite.All
Group.Selected
Sites.FullControl.All
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
TeamsActivity.Read.All
TeamsActivity.Send
TeamsApp.Read.All
TeamsApp.ReadWrite.All
TeamsTab.Create
TeamsTab.Read.All
TeamsTab.ReadWrite.All
User.Read
User.ReadWrite.All
Am pulling my hair out ... and there's barely anything left!
If you remove "Group.Create" permission completely and test, it should work.
Seems it doesn't like "Group.Create" with "Group.ReadWrite.All"
If it works in Graph Explorer, but doesn't in Postman. That typically means that your access token in Postman is not correct.
Have you looked at the Postman collection I put together? It puts on rails fetching the access token based on your application id and secret. https://learn.microsoft.com/en-us/graph/use-postman
With regards to PowerAutomate. How are you entering the application id and secret for the the flow to get the application access token? We do have a tutorial here from start to finish to show the approach we recommend here https://learn.microsoft.com/en-us/graph/tutorials/flow
Hopefully I'm missing something very simple. According to this documentation to get an access token I need to hit the following url:
https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
So far this appears to be working as the returned url I get contains
/#access_token=EwAYA61DBAAUcSSzo.......
According to the token flow documentation above,
You can use the value of access_token to make requests to the OneDrive API.
According to this page,
Your app provides the access token in each request, through an HTTP header:
Authorization: bearer {token}
When running curl I give it the exact token I was given before,
curl -X GET \
https://graph.microsoft.com/v1.0/drive \
-H 'Authorization: Bearer EwAYA61DBAAUcSSzoTJJs.....
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: 8004920A",
"innerError": {
"request-id": "8780c600-2b7f-45a0-b484-7eca9dfd2697",
"date": "2019-01-25T19:33:22"
}
}
}
Why is the token they provided not working?
What I've tried so far:
changing the case of bearer in the header
wrapping said token in {}
generating new tokens
URL decoding said token
One thing to note: the tokens I am receiving are not JWT tokens. Googling the error code pulls up several Stack Overflow questions that seem to imply the graph api is expecting a JWT. If this is the case, am I missing a step to obtaining it?
You can't call Microsoft Graph API after completing the authentication flow for Microsoft accounts (OneDrive personal).
In addition, the authorization process with Microsoft accounts is no longer recommended according the docs and new applications should be developed using Microsoft Graph:
This topic contains information about authorizing an application using Microsoft accounts for OneDrive personal. However, this approach is no longer recommended. New applications should be developed using Microsoft Graph and follow the authorization process in Authorization and sign-in for OneDrive in Microsoft Graph.