Add user in Azure AD using Microsoft Graph API - microsoft-graph-api

I am trying to add user using Microsoft graph API.
I have provided the consent for all the permissions required.
POST https://graph.microsoft.com/v1.0/users
Request body that is send to the post request.
{
"accountEnabled": true,
"displayName": "Adele Vance",
"mailNickname": "AdeleV",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bWH-d"
}
}
Error that is received in response
{
"error": {
"code": "",
"message": "No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:0ff49e4749deeaf2')/profile?api-version=AGSV1-internal'.",
"innerError": {
"date": "2021-02-04T10:41:56",
"request-id": "025218e1-191c-464f-adf3-f0cdc5fcebfd",
"client-request-id": "c071d220-2f14-d7fa-956e-cd45ccbdc735"
}
}
}
Is there something that I am missing?
I have also gone through the docs for adding user provided by Microsoft.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http

What you said in the comment is correct, the document has detailed instructions, it does not support Microsoft personal accounts.

You will have to check the end point are you using to authorize in order to obtain the token.
If you are using a tenant specific end point
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
Try replacing with the common endpoint
https://login.microsoftonline.com/common/oauth....

Related

Return 401 Unauthorized when use Graph API to read calendar and mailbox setting

I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All

Microsoft Graph API Errors for ServiceNow

I am integrating ServiceNow with Teams specifically to push notifications to users and channels using microsoft graph api.
Issue #1 -
I have configured an OAuth profile for azure app to utilize microsoft graph API, setup required API permissions and calling various chat related API functions. For 'Create Chat' request I am getting below error:
responseBody: {
"error": {
**"code": "UnknownError",**
"message": "",
"innerError": {
"date": "2021-01-29T09:20:53",
"request-id": "90a99bf5-048f-445b-b58c-ee46fc30edf3",
"client-request-id": "90a99bf5-048f-445b-b58c-ee46fc30edf3"
}
}
}
API call -
var restMessage = new sn_ws.RESTMessageV2();
restMessage.setHttpMethod("POST");
restMessage.setEndpoint("https://graph.microsoft.com/beta/chats");
restMessage.setRequestHeader('Content-Type', 'application/json');
restMessage.setRequestHeader('Authorization', 'Bearer ' + retrieveToken()); //retrieveToken() function creates access token.
restMessage.setAuthenticationProfile('oauth', 'a5325df007022010f60df7fc7c1ed0a2');
restMessage.setRequestBody(global.JSON.stringify(
{"chatType": "oneOnOne","members":
[
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/beta/users('<userID>')"
},
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/beta/users('<userID>')"
}
]
}
));
var response = restMessage.executeAsync();
var responseBody = response.getBody();
gs.info('responseBody: '+responseBody);
Most of the suggestions are to set appropriate API permissions. This is already set correctly on Azure (both delegated and apppication permissions) and in OAuth entity scope in servicenow.
Issue #2 -
For the same setup instead of usign scripted API, I defined REST Message record and trying to get the token by clicking 'Get OAuth Token' related link and getting following error:
https://dev72030.service-now.com/oauth_redirect.do?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27msgraph-client-app%27+asked+for+scope+%27**Chat.Read.All%27+that+doesn%27t+exist+on+the+resource**+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+b0b9ff39-fd1a-49c9-85fa-3c8c71943600%0d%0aCorrelation+ID%3a+9c276922-3a77-4cc1-890b-23177ffd1845%0d%0aTimestamp%3a+2021-01-29+10%3a31%3a27Z&state=-1877865371#
This say I need to set 'Chat.Read.All' API permission. This is already provided on both sides, Azure app and OAUth profile in SNOW.
What am I missing
Could you please check this docs? For second issue: Could you please check the permissions on src by going through the jwt.io

Cannot update oauth2PermissionGrants using graph.microsoft.com

Using https://graph.microsoft.com/beta/oauth2PermissionGrants I now cannot use POST to update B2C apps to grant them access to API's due to an error : Missing property: expiryTime
We've been using the BETA endpoint to update our B2C apps to grant them access to various API's using a Powershell script I created however in the last week or so something has changed on the back end as we now receive an error when attempting a POST : Missing property: expiryTime. The expirytime however is present in the JSON.
We can POST via graph.windows.net using the same JSON so this is something specific to the BETA endpoint. When querying the App's Oauth2permissiongrants I also cannot see the expirytime or starttime using graph.microsoft.com for some reason.
Please see the code below and let me know if I can answer any questions.
https://developer.microsoft.com/en-us/graph/graph-explorer#
POST https://graph.microsoft.com/beta/oauth2PermissionGrants
{
"clientId": "APP servicePrincial ObjectID",
"consentType": "AllPrincipals",
"expiryTime": "2030-05-12T19:34:28.9831598Z",
"principalId": null,
"resourceId": "02bccee7-8958-4e5e-89c7-466a5370a205",
"scope": "user_impersonation"
}
{
"error": {
"code": "Request_BadRequest",
"message": "Missing property: expiryTime",
"innerError": {
"request-id": "b15edafa-1415-4430-9d89-5ea3fb824f9c",
"date": "2019-09-16T11:29:39"
}
}
}

SendMail API throwing 400 - Bad Request

I am using Microsoft Graph API to send an email on behalf of an admin. The token has the permission Mail.Send at application level. I am getting a 400 - Bad Request as the response.
Request: POST https://graph.microsoft.com/v1.0/me/sendmail
{
"message": {
"subject": "first mail",
"body": {
"contentType": "Text",
"content": "commented commmented"
},
"toRecipients": [{
"emailAddress": {
"address": "Alex#*******"
}
}]
},
"saveToSentItems": "false"
}
Response is 400 - Bad Request:
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"request-id": "4c5cc54c-e590-4d9f-903f-4bc9828da707",
"date": "2018-01-19T19:48:11"
}
}
}
I searched all over Stack Overflow but I could not find a solution. Can someone please help me? Thank you in advance.
When using client_credentials you cannot use the /me endpoint. Graph translates requests to /me as /users/{ID of the Authenticated User}. Since you do not have an "Authenticated User" when using Client Credentials (i.e. App-only) you cannot use /me here.
Also note that the response is an AuthenticationError. This suggests that you haven't gone through the Admin Consent process yet. Any application looking to leverage the Client_Credentials OAUTH flow must first have an Admin provide Consent for the Tenant. It isn't clear how you're retrieving your token but if you're using the v2 Endpoint you can follow this walk-though: v2 Endpoint and Admin Consent

Microsoft Graph SharePoint access items (read/write)

I am attempting to create a new list item in SharePoint Online using the [beta] Microsoft Graph endpoint. The goal is to call Microsoft Graph from an Outlook Add-in but the problem persists on Postman.
When I call the endpoint as per the documentation I get the following error message:
{
"error": {
"code": "unauthenticated",
"message": "The caller is not authenticated.",
"innerError": {
"request-id": "bb094f39-71c9-4c7d-9d9b-913cc9622baf",
"date": "2017-08-08T11:32:02"
}
}
}
I'm using ADAL JS to fetch the authentication token and I initialized my AuthenticationContext with my tenantID. My app has the following permissions: offline_access, Sites.Read.All, Sites.ReadWrite.All, User.Read
2nd Edit - more details on readItem
I use the https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items endpoint with the {site-id} of my desired site from /sites and the {list-id} of the list from /sites/{site-id}/lists but this is the empty response I get:
{
"#odata.context": "https://graph.microsoft.com/...",
"value": []
}
If I try to to add /{item-id} to my original call to access specific item I receive this response:
{
"error": {
"code": "itemNotFound",
"message": "The specified list was not found",
"innerError": {
"request-id": "6e7ccae3-3aee-4dbb-ae3e-de61250478e0",
"date": "2017-08-09T13:13:33"
}
}
}
Which doesn't make sense because I can retrieve valid information about the list if i make the call without /items/..
Any and all input appreciated :) I'll gladly provide more code, this is all I deemed relevant and didn't want to overcrowd the post.
might be that you actually don't have an item with that id, since https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items/1 works for me.
test the id's you really have by just https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items and each item returns it's id.

Resources