Microsoft Graph API Errors for ServiceNow - microsoft-graph-api

I am integrating ServiceNow with Teams specifically to push notifications to users and channels using microsoft graph api.
Issue #1 -
I have configured an OAuth profile for azure app to utilize microsoft graph API, setup required API permissions and calling various chat related API functions. For 'Create Chat' request I am getting below error:
responseBody: {
"error": {
**"code": "UnknownError",**
"message": "",
"innerError": {
"date": "2021-01-29T09:20:53",
"request-id": "90a99bf5-048f-445b-b58c-ee46fc30edf3",
"client-request-id": "90a99bf5-048f-445b-b58c-ee46fc30edf3"
}
}
}
API call -
var restMessage = new sn_ws.RESTMessageV2();
restMessage.setHttpMethod("POST");
restMessage.setEndpoint("https://graph.microsoft.com/beta/chats");
restMessage.setRequestHeader('Content-Type', 'application/json');
restMessage.setRequestHeader('Authorization', 'Bearer ' + retrieveToken()); //retrieveToken() function creates access token.
restMessage.setAuthenticationProfile('oauth', 'a5325df007022010f60df7fc7c1ed0a2');
restMessage.setRequestBody(global.JSON.stringify(
{"chatType": "oneOnOne","members":
[
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/beta/users('<userID>')"
},
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["owner"],
"user#odata.bind": "https://graph.microsoft.com/beta/users('<userID>')"
}
]
}
));
var response = restMessage.executeAsync();
var responseBody = response.getBody();
gs.info('responseBody: '+responseBody);
Most of the suggestions are to set appropriate API permissions. This is already set correctly on Azure (both delegated and apppication permissions) and in OAuth entity scope in servicenow.
Issue #2 -
For the same setup instead of usign scripted API, I defined REST Message record and trying to get the token by clicking 'Get OAuth Token' related link and getting following error:
https://dev72030.service-now.com/oauth_redirect.do?error=invalid_client&error_description=AADSTS650053%3a+The+application+%27msgraph-client-app%27+asked+for+scope+%27**Chat.Read.All%27+that+doesn%27t+exist+on+the+resource**+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+b0b9ff39-fd1a-49c9-85fa-3c8c71943600%0d%0aCorrelation+ID%3a+9c276922-3a77-4cc1-890b-23177ffd1845%0d%0aTimestamp%3a+2021-01-29+10%3a31%3a27Z&state=-1877865371#
This say I need to set 'Chat.Read.All' API permission. This is already provided on both sides, Azure app and OAUth profile in SNOW.
What am I missing


Could you please check this docs? For second issue: Could you please check the permissions on src by going through the jwt.io

Related

Add user in Azure AD using Microsoft Graph API

I am trying to add user using Microsoft graph API.
I have provided the consent for all the permissions required.
POST https://graph.microsoft.com/v1.0/users
Request body that is send to the post request.
{
"accountEnabled": true,
"displayName": "Adele Vance",
"mailNickname": "AdeleV",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bWH-d"
}
}
Error that is received in response
{
"error": {
"code": "",
"message": "No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:0ff49e4749deeaf2')/profile?api-version=AGSV1-internal'.",
"innerError": {
"date": "2021-02-04T10:41:56",
"request-id": "025218e1-191c-464f-adf3-f0cdc5fcebfd",
"client-request-id": "c071d220-2f14-d7fa-956e-cd45ccbdc735"
}
}
}
Is there something that I am missing?
I have also gone through the docs for adding user provided by Microsoft.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http

What you said in the comment is correct, the document has detailed instructions, it does not support Microsoft personal accounts.

You will have to check the end point are you using to authorize in order to obtain the token.
If you are using a tenant specific end point
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
Try replacing with the common endpoint
https://login.microsoftonline.com/common/oauth....

Create Team, 400 Bad Request, Required functionality is not supported

I'm trying to create a Microsoft Teams team in Migration mode via the Graph API. However I get a 400 response that I can't figure out. The query is shared in the link below.
Shared Query
For those that don't want to view it that way, here is my request:
POST https://graph.microsoft.com/beta/teams
Authorization: Bearer ...
Content-Type: application/json
{
"#microsoft.graph.teamCreationMode": "migration",
"template#odata.bind": "https://graph.microsoft.com/beta/teamsTemplates(\u0027standard\u0027)",
"displayName": "SlackMigrationTest",
"description": "testing slack migrations",
"createdDateTime": "2021-01-14T00:00:00.000Z"
}
I created this based on the microsoft doc here.
The reponse I get is:
The remote server returned an error: (400) Bad Request.
{
"error": {
"code": "BadRequest",
"message": "Required functionality is not supported.",
"innerError": {
"date": "2021-01-20T15:51:21",
"request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05",
"client-request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05"
}
}
}
I'm sure its something obvious that I'm missing but any help would be greatly appreciated.

Here you are using the User Context token and trying to make the call. This API call only works in Application context as shown in the below screenshot.
So use Client Credential flow and set Application permissions and then make a call.
As you can see below, it worked for me with App token.
You cannot test it in graph explorer because the Graph Explorer gets user token.

Cannot update oauth2PermissionGrants using graph.microsoft.com

Using https://graph.microsoft.com/beta/oauth2PermissionGrants I now cannot use POST to update B2C apps to grant them access to API's due to an error : Missing property: expiryTime
We've been using the BETA endpoint to update our B2C apps to grant them access to various API's using a Powershell script I created however in the last week or so something has changed on the back end as we now receive an error when attempting a POST : Missing property: expiryTime. The expirytime however is present in the JSON.
We can POST via graph.windows.net using the same JSON so this is something specific to the BETA endpoint. When querying the App's Oauth2permissiongrants I also cannot see the expirytime or starttime using graph.microsoft.com for some reason.
Please see the code below and let me know if I can answer any questions.
https://developer.microsoft.com/en-us/graph/graph-explorer#
POST https://graph.microsoft.com/beta/oauth2PermissionGrants
{
"clientId": "APP servicePrincial ObjectID",
"consentType": "AllPrincipals",
"expiryTime": "2030-05-12T19:34:28.9831598Z",
"principalId": null,
"resourceId": "02bccee7-8958-4e5e-89c7-466a5370a205",
"scope": "user_impersonation"
}
{
"error": {
"code": "Request_BadRequest",
"message": "Missing property: expiryTime",
"innerError": {
"request-id": "b15edafa-1415-4430-9d89-5ea3fb824f9c",
"date": "2019-09-16T11:29:39"
}
}
}

Office API getAccessTokenAsync result yields InvalidAuthenticationToken response from Graph

i have been trying to tackle this issues for a while now, i am workin on an Office-js addin for Outlook and is trying to access Microsoft Graph data through my addin.
But i have been unable to authenticate the token i recieve from getAccessTokenAsync.
If i attempt to use the authenticator from Office-JS-Helpers i can get access, but i would prefer to use the built in function of the addin for it.
the code i am trying to use is this:
Office.initialize = () => {
var options = { forceAddAccount: true, forceConsent: true } as Office.AuthOptions;
Office.context.auth.getAccessTokenAsync(options, getAccessTokenAsyncCallback);
}
function getAccessTokenAsyncCallback(accessTokenResponse) {
console.log(accessTokenResponse.value)
client = MicrosoftGraph.Client.init({
authProvider: (done) => {
done(null, accessTokenResponse.value);
},
debugLogging: false
})
client.api("/me")
.get((err, res, rawResponse) => {
console.log(err)
console.log("rawResponse")
console.log(rawResponse)
})
}
and my WebApplicationInfo in my manifest is:
<WebApplicationInfo>
<Id>{AppUID}</Id>
<Resource>api://localhost:3000/{AppUID}</Resource>
<Scopes>
<Scope>profile</Scope>
<Scope>user.read</Scope>
</Scopes>
</WebApplicationInfo>
</VersionOverrides>
and the rights has been set up in my app on the Application Registration Portal.
as far as i can see when validating/decoding the JSON Web Token i recieve from getAccessTokenAsync, it should be valid.
but whenever i try to connect using this token i get this response:
{
"statusCode": 401,
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"requestId": "4a0ce952-0e90-XXXXXXXXX-db20c6cca94e",
"date": "2018-08-30T05:37:43.000Z",
"body": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "4a0ce952-0e90-XXXXXXXXX-db20c6cca94e",
"date": "2018-08-30T07:37:43"
}
}
}
i simply can't figure out what the issue is here, am i wrong in that the token returned from getAccessTokenAsync is the one i need for this?
oh yes and i am running up against an Office365 environment with Outlook 2016 version 1807 build 10325.20118 click to run

The token that is returned by getAccessTokenAsync, called the bootstrap token, does NOT give your add-in access to MS Graph directly. Instead it gives the Office host application, Outlook in this case, access to your add-in's web application. Your add-in's web application then uses that token to get an access token to Microsoft Graph. It does this by using the "on behalf of" OAuth flow. Please see the extensive documentation at this node: SSO in Office Add-ins and, for Outlook-specific guidance, also see Authenicate a user in an Outlook Add-in with an SSO token.

InvalidAuthenticationToken Error : when Using office365 planner Tasks API

I am trying to get my office365 planner task using the Microsoft Graph API but I am getting below error:
GET https://graph.microsoft.com/beta/me/tasks
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Bearer access token is empty.",
"innerError": {
"request-id": "4f209643-f3f6-4256-87b7-cf4f2fd489eb",
"date": "2016-05-16T09:03:33"
}
}
}

The error message is pretty self-explanatory,
"message": "Bearer access token is empty."
You need to be authenticated before you can make this RESTful API call.
If you're developing your own app, follow this tutorial to learn about OAuth2 workflow,
http://graph.microsoft.io/en-us/docs/platform/rest
If you're using Graph Explore, make sure you're logged in before call that API.

I use this Controller's action code for granting admin consent:
//<Summary>
//Used to grant admin consent to Azure AD apps
//</Summary>
public virtual ActionResult AdminConsentApp()
{
string strResource = "https://graph.microsoft.com";
string strRedirectController = "https://localhost:[my local debug port number]";
string authorizationRequest = String.Format(
"https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&prompt={3}",
Uri.EscapeDataString(SettingsHelper.ClientId),
Uri.EscapeDataString(strResource),
Uri.EscapeDataString(String.Format("{0}", strRedirectController)),
Uri.EscapeDataString("admin_consent")
);
return new RedirectResult(authorizationRequest);
}
Hope this help,
Cheers, Danfer.

Resources